I have a few private forums where people should be able to upload files. But in the current version of pun_attachment, any logged in user can use the download url to download the file irrespective of whether the user has permissions to the forum.
Since the url looks like http://example.com/forums/misc.php?item … ownload=1, you can easily change the item id and get files which you should not have access to.

To fix this, the following code needs to be modified for hook id="mi_new_action". It is around line 1257 in manifest.xml in the version I am using.

                $query = array(
                    'SELECT'    => 'a.id, a.post_id, a.filename, a.file_ext, a.file_mime_type, a.size, a.file_path, a.topic_id',
                    'FROM'        => 'attach_files AS a',
                    'JOINS'        => array(
                        array(
                            'INNER JOIN'    => 'topics AS t',
                            'ON'        => 't.id=a.topic_id'
                        ),                       
                        array(
                            'INNER JOIN'    => 'forums AS f',
                            'ON'        => 'f.id=t.forum_id'
                        ),                       
                        array(
                            'LEFT JOIN'    => 'forum_perms AS fp',
                            'ON'        => '(fp.forum_id=f.id AND fp.group_id='.$forum_user['g_id'].')'
                        )                       
                    ),                   
                    'WHERE'        => 'a.id='.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum=1)'
                );

It would be great if you would add this to the next release so that I do not need to maintain a separate version.

Warm regards,
Narayan