Prevent download if !dir is_exempt and file credits > user

total credits. Set an 'error' property on reply if file not found or not enough credits.
echicken · Apr 13, 2020 · aa48840 · aa48840
1 parent a03cd7d
commit aa48840
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/web/root/api/files.ssjs b/web/root/api/files.ssjs
@@ -1,3 +1,4 @@
+load('sbbsdefs.js');
 var settings = load('modopts.js', 'web');
 
 load(settings.web_directory + '/lib/init.js');
@@ -29,7 +30,14 @@ if ((http_request.method === 'GET' || http_request.method === 'POST') &&
 						return true;
 					}
 				});
-				if (file === null) break;
+				if (file === null) {
+					reply.error = 'File not found';
+					break;
+				}
+				if (!file_area.dir[dircode].is_exempt && file.credits > (user.security.credits + user.security.free_credits)) {
+					reply.error = 'Not enough credits to download this file';
+					break;
+				}
 				http_reply.header['Content-Type'] = 'application/octet-stream';
 				http_reply.header['Content-Disposition'] = 'attachment; filename="' + file.base + '.' + file.ext + '"';
 				http_reply.header['Content-Encoding'] = 'binary';