[Hack] Only Admin can see other user torrents

[DD32]

Well it came that i wanted to allow other users to use my TF box, but i DIDNT want them to see what other users were downloading.

So i hacked the code alittle.

This will make NORMAL users only able to see their OWN torrents, they CANT see what other users are downloading. Admins can still see other files.

This wasnt done to a Vanilla install, this is the "torrentflux_2.1+" install pack from one of thee multihacks things.

Heres the changes for mine:

Code

Line 2916
Find:
    if (sizeof($arListTorrent) > 0)
Replace with:
    if ( (sizeof($arListTorrent) > 0) && (IsAdmin() == true) )
 

Thats the only change.
In a vanilla install(Which i havnt tested) the line is 2520, same change as above should be made.

I was thinking of making it so as the users can see the download percentage/speed/status just couldnt see the torrent names, And i may do that later, this was just a quick hack to add the fuction in so i could let others onto it ASAP.


:::EDIT:::
Part 2:
I Forgot about dir.php!

Code

Line: About 34
Find
$dir = stripslashes(urldecode(getRequestVar('dir')));
 
And place this after it:
if (IsAdmin() == false){
	$cfg['path'] = $cfg['path'].$cfg['user'].'/';
	if( substr($dir,0,strlen($cfg['user'])) == $cfg['user'] ){
		$dir = substr($dir,strlen($cfg['user']));
	}
}
 
it now looks like this:
 
$dir = stripslashes(urldecode(getRequestVar('dir')));
 
if (IsAdmin() == false){
	$cfg['path'] = $cfg['path'].$cfg['user'].'/';
	if( substr($dir,0,strlen($cfg['user'])) == $cfg['user'] ){
		$dir = substr($dir,strlen($cfg['user']));
	}
}
 
 

I think i've covered everything thing now

::::Edit2::::
'doh.. noticed another file.
History.php:

Code

Line: About 55
 
Find this:
 
$sql = "SELECT user_id, file, time FROM tf_log WHERE action=".$db->qstr($cfg["constants"]["url_upload"])." OR action=".$db->qstr($cfg["constants"]["file_upload"])." ORDER BY time desc";
 
Replace with this:
 
	if (IsAdmin() == true){
	    $sql = "SELECT user_id, file, time FROM tf_log WHERE action=".$db->qstr($cfg["constants"]["url_upload"])." OR action=".$db->qstr($cfg["constants"]["file_upload"])." ORDER BY time desc";
	} else {
		$sql = "SELECT user_id, file, time FROM tf_log WHERE user_id='".$cfg['user']."' AND ( action=".$db->qstr($cfg["constants"]["url_upload"])." OR action=".$db->qstr($cfg["constants"]["file_upload"])." ) ORDER BY time desc";
	}
 
 

Hope its of use to someone

NOTE: can someone else please tell me if download files/tar directory still works? Its failing on my install, and i cant see any reason for it to.

DD32

EDIT:
The Codebase for this was this: http://www.torrentflux.com/forum/index.php?topic=1265.0

[wobbles]

other users on my tf server wanted this mod and now it is intergrated, tell you later how it goes (Excellent mod though)

[wobbles]

just tested the mod and it works great.

Good work DD32

[DD32]

just tested the mod and it works great.

Good work DD32

Cheers

First mod knocked over, now to add in wget support somehow..

D

[mb.Tab]

just tested the mod and it works great.

Good work DD32

Cheers

First mod knocked over, now to add in wget support somehow..

D

Hey could you pls drop me a line when you have finished the wget support, would be really cool

mb.Tab

[watermelon245]

I'm liking this hack.

[Lightning-Torrents.co.uk]

im not quite sure how to apply this hack please could some one PM me a step by step guide

thank you

--host-away

[PlymWS]

Which file do you perform the first code modification on ?

[lysip]

whats the point in this? it kinda leads to wasted bandwidth.

[Niko]

PlymWS,

grep -H arListTorrent *.php
functions.php:    $arListTorrent = array();
functions.php:            array_push($arListTorrent, $output);
functions.php:    if (sizeof($arListTorrent) > 0)
functions.php:        foreach($arListTorrent as $torrentrow)

So it is somewhere in functions.php

[PlymWS]

Nice one.  Thanks.  Got it working fine now.

Shame I can't get wget to work

[ghaniba]

I think I found an issue -- a user (Non admin) cannot delete files with the modified dir.php -- Anyone else find this?  There's a chance I botched something up, but it IS hiding other people's directories as it should.  Thoughts?

-Ghan

[b4rt]

I think I found an issue -- a user (Non admin) cannot delete files with the modified dir.php -- Anyone else find this?  There's a chance I botched something up, but it IS hiding other people's directories as it should.  Thoughts?

-Ghan

yeah that is a bug in this hack.
its based on the fact the hack alters the php-var $dir which the sanity-check for prevention of deleting data not owned by the user relies on.


regards,
b4rt

[flosoft]

I think I found an issue -- a user (Non admin) cannot delete files with the modified dir.php -- Anyone else find this?  There's a chance I botched something up, but it IS hiding other people's directories as it should.  Thoughts?

-Ghan

yeah that is a bug in this hack.
its based on the fact the hack alters the php-var $dir which the sanity-check for prevention of deleting data not owned by the user relies on.


regards,
b4rt

It really would be nice if this would be fixed. Any fix would be nice.

[christian.einarsson]

I've made a crude fix to the delete bug in this hack, simply by commenting out the code that checks user identity. I don't know if this opens up any security issues. I just thought naively that if users can't see each others files then they can't delete them even if I remove the checking of identity

to apply this fix you should find two code sections in dir.php (one is shown below and the other one looks almost the same) and comment-out/delete every thing but the long echo that displays the delete button.

Before:

Code:

                // The following lines of code were suggested by Jody Steele jmlsteele@stfu.ca
                // this is so only the owner of the file(s) or admin can delete
                // only give admins and users who "own" this directory
                // the ability to delete sub directories
                if(IsAdmin($cfg["user"]) || preg_match("/^" . $cfg["user"] . "/",$dir))
                {
                    echo "<a href=\"dir.php?del=".urlencode($dir.$entry)."\" onclick=\"return ConfirmDelete('".addslashes($entry)."')\"><img src=\"\images/delete_on.gif\" width=16 height=16 title=\""._DELETE."\" border=0></a>";
                }
                else
                {
                   echo "&nbsp;";
                }

After:

Code:

                // The following lines of code were suggested by Jody Steele jmlsteele@stfu.ca
                // this is so only the owner of the file(s) or admin can delete
                // only give admins and users who "own" this directory
                // the ability to delete sub directories
//              if(IsAdmin($cfg["user"]) || preg_match("/^" . $cfg["user"] . "/",$dir))
//              {
                    echo "<a href=\"dir.php?del=".urlencode($dir.$entry)."\" onclick=\"return ConfirmDelete('".addslashes($entry)."')\"><img src=\"\images/delete_on.gif\" width=16 height=16 title=\""._DELETE."\" border=0></a>";
//              }
//              else
//              {
//                 echo "&nbsp;";
//              }