1 files changed, 13 insertions, 14 deletions

diff --git a/config/kernel/auth_check.php b/config/kernel/auth_check.php
index 18de119..15b7ebc 100755
--- a/config/kernel/auth_check.php
+++ b/config/kernel/auth_check.php
@@ -2,32 +2,31 @@
 // Minimal session check - no framework bootstrap
 include 'auth_config.php';
 
-if( !empty( $_SESSION['user_role'] ) && $_SESSION['user_role'] > 0 ) {
-	http_response_code(200);
-	exit;
-}
-
-// anonymous - check content_id from URI
 preg_match( '|/attachments/\d+/(\d+)/|', $_SERVER['REQUEST_URI'], $matches );
 
 if( !empty( $matches[1] ) ) {
 	$contentId = (int)$matches[1];
 	try {
 		$pdo = new PDO( $gBitDbHost, $gBitDbUser, $gBitDbPassword );
-		$stmt = $pdo->prepare(
-			"SELECT COUNT(*) FROM LIBERTY_CONTENT_ROLE_MAP 
-             WHERE content_id = ?",
-		);
+
+		// get the role restriction for this content, if any
+		$stmt = $pdo->prepare( "SELECT ROLE_ID FROM LIBERTY_CONTENT_ROLE_MAP WHERE CONTENT_ID = ?" );
 		$stmt->execute( [$contentId] );
-		if( $stmt->fetchColumn() == 0 ) {
+		$requiredRoleId = $stmt->fetchColumn();
+
+		if( $requiredRoleId === false ) {
+			// no restriction - public content
+			http_response_code( 200 );
+		} elseif( in_array( (int)$requiredRoleId, $_SESSION['user_role'] ?? [] ) ) {
 			http_response_code( 200 );
 		} else {
 			http_response_code( 403 );
 		}
 	} catch( PDOException $e ) {
-		// db failure - deny access safely
 		http_response_code( 403 );
-		exit;
 	}
 	exit;
-}
\ No newline at end of file
+}
+
+// no content_id in URI - nothing to restrict
+http_response_code( 200 );
\ No newline at end of file