[Hack] Only Admin can see other user torrents

[DD32]

Well it came that i wanted to allow other users to use my TF box, but i DIDNT want them to see what other users were downloading.

So i hacked the code alittle.

This will make NORMAL users only able to see their OWN torrents, they CANT see what other users are downloading. Admins can still see other files.

This wasnt done to a Vanilla install, this is the "torrentflux_2.1+" install pack from one of thee multihacks things.

Heres the changes for mine:

Code

Line 2916
Find:
    if (sizeof($arListTorrent) > 0)
Replace with:
    if ( (sizeof($arListTorrent) > 0) && (IsAdmin() == true) )
 

Thats the only change.
In a vanilla install(Which i havnt tested) the line is 2520, same change as above should be made.

I was thinking of making it so as the users can see the download percentage/speed/status just couldnt see the torrent names, And i may do that later, this was just a quick hack to add the fuction in so i could let others onto it ASAP.


:::EDIT:::
Part 2:
I Forgot about dir.php!

Code

Line: About 34
Find
$dir = stripslashes(urldecode(getRequestVar('dir')));
 
And place this after it:
if (IsAdmin() == false){
	$cfg['path'] = $cfg['path'].$cfg['user'].'/';
	if( substr($dir,0,strlen($cfg['user'])) == $cfg['user'] ){
		$dir = substr($dir,strlen($cfg['user']));
	}
}
 
it now looks like this:
 
$dir = stripslashes(urldecode(getRequestVar('dir')));
 
if (IsAdmin() == false){
	$cfg['path'] = $cfg['path'].$cfg['user'].'/';
	if( substr($dir,0,strlen($cfg['user'])) == $cfg['user'] ){
		$dir = substr($dir,strlen($cfg['user']));
	}
}
 
 

I think i've covered everything thing now

::::Edit2::::
'doh.. noticed another file.
History.php:

Code

Line: About 55
 
Find this:
 
$sql = "SELECT user_id, file, time FROM tf_log WHERE action=".$db->qstr($cfg["constants"]["url_upload"])." OR action=".$db->qstr($cfg["constants"]["file_upload"])." ORDER BY time desc";
 
Replace with this:
 
	if (IsAdmin() == true){
	    $sql = "SELECT user_id, file, time FROM tf_log WHERE action=".$db->qstr($cfg["constants"]["url_upload"])." OR action=".$db->qstr($cfg["constants"]["file_upload"])." ORDER BY time desc";
	} else {
		$sql = "SELECT user_id, file, time FROM tf_log WHERE user_id='".$cfg['user']."' AND ( action=".$db->qstr($cfg["constants"]["url_upload"])." OR action=".$db->qstr($cfg["constants"]["file_upload"])." ) ORDER BY time desc";
	}
 
 

Hope its of use to someone

NOTE: can someone else please tell me if download files/tar directory still works? Its failing on my install, and i cant see any reason for it to.

DD32

EDIT:
The Codebase for this was this: http://www.torrentflux.com/forum/index.php?topic=1265.0

[wobbles]

other users on my tf server wanted this mod and now it is intergrated, tell you later how it goes (Excellent mod though)

[wobbles]

just tested the mod and it works great.

Good work DD32

[DD32]

just tested the mod and it works great.

Good work DD32

Cheers

First mod knocked over, now to add in wget support somehow..

D

[mb.Tab]

just tested the mod and it works great.

Good work DD32

Cheers

First mod knocked over, now to add in wget support somehow..

D

Hey could you pls drop me a line when you have finished the wget support, would be really cool

mb.Tab

[watermelon245]

I'm liking this hack.

[Lightning-Torrents.co.uk]

im not quite sure how to apply this hack please could some one PM me a step by step guide

thank you

--host-away

[PlymWS]

Which file do you perform the first code modification on ?

[lysip]

whats the point in this? it kinda leads to wasted bandwidth.

[Niko]

PlymWS,

grep -H arListTorrent *.php
functions.php:    $arListTorrent = array();
functions.php:            array_push($arListTorrent, $output);
functions.php:    if (sizeof($arListTorrent) > 0)
functions.php:        foreach($arListTorrent as $torrentrow)

So it is somewhere in functions.php

[PlymWS]

Nice one.  Thanks.  Got it working fine now.

Shame I can't get wget to work

[ghaniba]

I think I found an issue -- a user (Non admin) cannot delete files with the modified dir.php -- Anyone else find this?  There's a chance I botched something up, but it IS hiding other people's directories as it should.  Thoughts?

-Ghan

[b4rt]

I think I found an issue -- a user (Non admin) cannot delete files with the modified dir.php -- Anyone else find this?  There's a chance I botched something up, but it IS hiding other people's directories as it should.  Thoughts?

-Ghan

yeah that is a bug in this hack.
its based on the fact the hack alters the php-var $dir which the sanity-check for prevention of deleting data not owned by the user relies on.


regards,
b4rt

[flosoft]

I think I found an issue -- a user (Non admin) cannot delete files with the modified dir.php -- Anyone else find this?  There's a chance I botched something up, but it IS hiding other people's directories as it should.  Thoughts?

-Ghan

yeah that is a bug in this hack.
its based on the fact the hack alters the php-var $dir which the sanity-check for prevention of deleting data not owned by the user relies on.


regards,
b4rt

It really would be nice if this would be fixed. Any fix would be nice.

[christian.einarsson]

I've made a crude fix to the delete bug in this hack, simply by commenting out the code that checks user identity. I don't know if this opens up any security issues. I just thought naively that if users can't see each others files then they can't delete them even if I remove the checking of identity

to apply this fix you should find two code sections in dir.php (one is shown below and the other one looks almost the same) and comment-out/delete every thing but the long echo that displays the delete button.

Before:

Code:

                // The following lines of code were suggested by Jody Steele jmlsteele@stfu.ca
                // this is so only the owner of the file(s) or admin can delete
                // only give admins and users who "own" this directory
                // the ability to delete sub directories
                if(IsAdmin($cfg["user"]) || preg_match("/^" . $cfg["user"] . "/",$dir))
                {
                    echo "<a href=\"dir.php?del=".urlencode($dir.$entry)."\" onclick=\"return ConfirmDelete('".addslashes($entry)."')\"><img src=\"\images/delete_on.gif\" width=16 height=16 title=\""._DELETE."\" border=0></a>";
                }
                else
                {
                   echo "&nbsp;";
                }

After:

Code:

                // The following lines of code were suggested by Jody Steele jmlsteele@stfu.ca
                // this is so only the owner of the file(s) or admin can delete
                // only give admins and users who "own" this directory
                // the ability to delete sub directories
//              if(IsAdmin($cfg["user"]) || preg_match("/^" . $cfg["user"] . "/",$dir))
//              {
                    echo "<a href=\"dir.php?del=".urlencode($dir.$entry)."\" onclick=\"return ConfirmDelete('".addslashes($entry)."')\"><img src=\"\images/delete_on.gif\" width=16 height=16 title=\""._DELETE."\" border=0></a>";
//              }
//              else
//              {
//                 echo "&nbsp;";
//              }

[g4v1n]

Erm both those thingo's u pasted are the same .. ?

[g4v1n]

sorry didnt understand your post

Ok well i got it to work just the icon aint showing

Ive tried all types of HTML and made the link proper and it just shows up wierd :/

[g4v1n]

ok got it

Do all the code the first post reccomended

For the last one

Ctrl f and find

Code:

<img src=\"images/tar_down.gif\

That is where you will get taken to the page where is has maketorrent

Directly under neath it leave a space and put
(With editing out all of the line it will be similar to the below)

Code:

echo "<a href=\"dir.php?del=".urlencode($dir.$entry)."\" onclick=\"return ConfirmDelete('".addslashes($entry)."')\"><img src=\"images/delete_on.gif\" width=16 height=16 title=\""._DELETE."\" border=0></a>";

Hope that helps =]

[ghaniba]

Hmmm, not working in 2.2beta1 yet.  The code still fits but it breaks something.  Just an FYI.

-Ghan

[legend]

what file do you edit in the first post that the user code'd :


What file is this?

Thanks!



Code: (php)

Line 2916
Find:
    if (sizeof($arListTorrent) > 0)
Replace with:
    if ( (sizeof($arListTorrent) > 0) && (IsAdmin() == true) )

[PaulW]

Ok, my first post, and a solution to the delete files issue...

Do what is mentioned in the first post, EXCEPT for the modification to the dir.php file!!!

Instead, do this

Code:

FIND (line 34)
$dir = stripslashes(urldecode(getRequestVar('dir')));

AFTER, ADD
// TorrentFlux Admin Mod
if (IsAdmin() == false){
if( substr($dir,0,strlen($cfg['user'])) != $cfg['user'] ){
$dir = $cfg["user"] . "/" . $dir;
}
}

This then just hard-codes the dir variable with the username, and even if you try to type the name of another user in its place, it will still not allow access to other files EXCEPT your own when not admin...

Also, legend, the CODE section your wondering what file its in, look in functions.php

Hope this helps!

Paul

[joewen7]

Hi, I've encountered a problem here.

Apparently, it doesn't work if I install this together with the CHMOD Hack, found here.

http://www.torrentflux.com/forum/index.php/topic,242.0/all.html

I used the one posted all the way at the bottom, which works for TF2.3. It just doesn't want to work together with the CHMOD hack. It works fine on its own or with other hacks. lol.

Any ideas, anyone?

[xon]

what file do you edit in the first post that the user code'd :


What file is this?

Thanks!



Code: (php)

Line 2916
Find:
    if (sizeof($arListTorrent) > 0)
Replace with:
    if ( (sizeof($arListTorrent) > 0) && (IsAdmin() == true) )

-function.php-

The file is quite shorter than it was in an earlier version of TF.
I changed it a few minutes ago and it works like a charm

THANKS!

xon

[beetlejelly]

Has anyone gotten this to work on 2.3? It works as in it only show normal users there own torrents but the downloads fail. "Download Failed!"
any help on this would be great!