Improves efficiency in showAttachments() perms checks

Signed-off-by: Jon Stovell <jonstovell@gmail.com>

Sources/Profile-Export.php

@@ -669,6 +669,10 @@ function export_attachment($uid)
 	// Try to avoid collisons when attachment names are not unique.
 	$context['prepend_attachment_id'] = true;
 
+	// Allow access to their attachments even if they can't see the board.
+	// This is just like what we do with posts during export.
+	$context['attachment_allow_hidden_boards'] = true;
+
 	// We should now have what we need to serve the file.
 	require_once($sourcedir . DIRECTORY_SEPARATOR . 'ShowAttachments.php');
 	showAttachment();

Sources/ShowAttachments.php

@@ -164,6 +164,22 @@ function showAttachment()
 			cache_put_data('attachment_lookup_id-' . $file['id_attach'], array($file, $thumbFile), mt_rand(850, 900));
 	}
 
+	// Can they see attachments on this board?
+	if (!empty($file['id_msg']))
+	{
+		// Special case for profile exports.
+		if (!empty($context['attachment_allow_hidden_boards']))
+		{
+			$boards_allowed = array(0);
+		}
+		// Check permissions and board access.
+		elseif (($boards_allowed = cache_get_data('view_attachment_boards_id-' . $user_info['id'])) == null)
+		{
+			$boards_allowed = boardsAllowedTo('view_attachments');
+			cache_put_data('view_attachment_boards_id-' . $user_info['id'], $boards_allowed, mt_rand(850, 900));
+		}
+	}
+
 	// No access if you don't have permission to see this attachment.
 	if
 	(
@@ -185,7 +201,7 @@ function showAttachment()
 				!empty($file['id_msg'])
 				&& (
 					empty($file['id_board'])
-					|| !allowedTo('view_attachments', $file['id_board'])
+					|| ($boards_allowed !== array(0) && !in_array($file['id_board'], $boards_allowed))
 				)
 			)
 		)