Sorry for resurrecting this very old post. I've been testing this version 2.12 of this mod on my 1.5.4 server.
Was this bug patched in the release package of v2.12?
Looks like I am able to circumvent this restriction by using Ajeh's method of using any non-restricted category + restricted product id in a url.
Here's what I've discovered:
If Im not logged in as a user, and try to directly access a restricted product. It'll throw a simple one line note of "OOPS - ILLEGAL ACCESS !".
However, if I am logged in as a valid user, but this user is NOT a privileged user, I was able to view and add the product to the user's shopping basket.

I've attempted to apply the hot fix codes in post #9 by replacing the first part of tpl_document_product_info_display.php. Didn't seem to change any of the behavior. But I figured it shouldn't be, since the post is very old, and looks like its for a versions before 2.0.

Lastly, products by Manufacturer doesn't seem to work at all. Which file controls this anyways? Im guessing it is the default_filter.php file.

Any help would appreciate it. I have a some what cult like following for my products, and my customers are extremely crafty in which I have people engineered bots for walking my catalog for scalping, but many users have actually been guessing incremental product numbers for finding newly created but hidden products. Which I really want to put an end to.

Any help is greatly appreciated.
Quote Originally Posted by frank18 View Post
Plugged the security hole.

File /includes/templates/MY_TEMPLATE/templates/tpl_product_info_display.php amended to this:

Code:
[ file header here]

<?php 
/** 
* CATEGORY_RESTRICTION - find corresponding master category for the current product 
 */ 
$products_id_to_block = $_GET['products_id']; 
global $db; 
$sql = "select master_categories_id from " . TABLE_PRODUCTS . " where products_id = :productID:"; 
$sql = $db->bindVars($sql, ':productID:', $products_id_to_block, 'integer'); 
$result = $db->Execute($sql); 
 
if ($result->RecordCount() > 0) { 
  echo '(used for testing purposes): Master Category ID = ' . $result->fields['master_categories_id']; 
} else { 
  echo 'Sorry, no record found for product number ' . $products_id_to_block; 
} 
 
if (!$_SESSION['customer_id'] && !$_SESSION['customers_privileges'] > 0 && in_array($result->fields['master_categories_id'],explode(',', CATEGORY_RESTRICTION_LOGIN_CATEGORY)) ) { 
 //echo ' - this product should be blocked !!'; 
 echo TEXT_ILLEGAL_ACCESS ; 
} else { // bof CATEGORY_RESTRICTION - OPEN ACCESS 

.... orginal body of the file

.... then at the bottom added after 
<!--bof Form close-->
 
<?php 
    } // eof CATEGORY_RESTRICTION - OPEN ACCESS 
?> 
</div>
Thanks again for pointing this out Ajeh!