Skip to content
Snippets Groups Projects
Normal view History Permalink
attachment.php 1.22 KiB
Newer Older
Thane de Loth's avatar
Adopt translation work from Thane de Loth  
Thane de Loth committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 
<?php
/*********************************************************************
    attachment.php

    Attachments interface for clients.
    Clients should never see the dir paths.

    Peter Rotich <peter@osticket.com>
    Copyright (c)  2006-2013 osTicket
    http://www.osticket.com

    Released under the GNU General Public License WITHOUT ANY WARRANTY.
    See LICENSE.TXT for details.

    vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require('secure.inc.php');
require_once(INCLUDE_DIR.'class.attachment.php');
//Basic checks
if(!$thisclient
        || !$_GET['id']
        || !$_GET['h']
        || !($attachment=Attachment::lookup($_GET['id']))
        || !($file=$attachment->getFile()))
Jared Hancock's avatar
i18n: Simplify and consolidate error messages  
Jared Hancock committed
25 
    Http::response(404, __('Unknown or invalid file'));
Thane de Loth's avatar
Adopt translation work from Thane de Loth  
Thane de Loth committed
26 27 28 29 30 31 

//Validate session access hash - we want to make sure the link is FRESH! and the user has access to the parent ticket!!
$vhash=md5($attachment->getFileId().session_id().strtolower($file->getKey()));
if(strcasecmp(trim($_GET['h']),$vhash)
        || !($ticket=$attachment->getTicket())
        || !$ticket->checkUserAccess($thisclient))
Jared Hancock's avatar
i18n: Simplify and consolidate error messages  
Jared Hancock committed
32 
    Http::response(404, __('Unknown or invalid file'));
Thane de Loth's avatar
Adopt translation work from Thane de Loth  
Thane de Loth committed
33 34 35 36 
//Download the file..
$file->download();

?>