MDL-52261 filelib: Do login check for files in blocks

author Ben Kelada <ben.kelada@open.edu.au>

Mon, 23 Nov 2015 00:59:56 +0000 (11:59 +1100)

committer Ben Kelada <ben.kelada@open.edu.au>

Fri, 4 Dec 2015 00:00:05 +0000 (11:00 +1100)
author Ben Kelada <ben.kelada@open.edu.au>
Mon, 23 Nov 2015 00:59:56 +0000 (11:59 +1100)
committer Ben Kelada <ben.kelada@open.edu.au>
Fri, 4 Dec 2015 00:00:05 +0000 (11:00 +1100)
diff --git a/lib/filelib.php b/lib/filelib.php

index 4da13f2..4b1e7e8 100644 (file)
--- a/lib/filelib.php
+++ b/lib/filelib.php
@@ -4506,6 +4506,14 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null) {
                  send_file_not_found();
              }
  
+            if ($context->get_course_context(false)) {
+                // If block is in course context, then check if user has capability to access course.
+                require_course_login($course);
+            } else if ($CFG->forcelogin) {
+                // If user is logged out, bp record will not be visible, even if the user would have access if logged in.
+                require_login();
+            }
+
              $bprecord = $DB->get_record('block_positions', array('contextid' => $context->id, 'blockinstanceid' => $context->instanceid));
              // User can't access file, if block is hidden or doesn't have block:view capability
              if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
author	Ben Kelada <ben.kelada@open.edu.au>
	Mon, 23 Nov 2015 00:59:56 +0000 (11:59 +1100)
committer	Ben Kelada <ben.kelada@open.edu.au>
	Fri, 4 Dec 2015 00:00:05 +0000 (11:00 +1100)