MDL-32155 blocks: User can't access file, if block is hidden or doesn't have block...
authorRajesh Taneja <rajesh@moodle.com>
Fri, 18 May 2012 06:55:32 +0000 (14:55 +0800)
committerRajesh Taneja <rajesh@moodle.com>
Wed, 23 May 2012 04:52:27 +0000 (12:52 +0800)
lib/filelib.php

index dbc1133..71ba2df 100644 (file)
@@ -4080,6 +4080,12 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null) {
                 // somebody tries to gain illegal access, cm type must match the component!
                 send_file_not_found();
             }
+
+            $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
+            // User can't access file, if block is hidden or doesn't have block:view capability
+            if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
+                 send_file_not_found();
+            }
         } else {
             $birecord = null;
         }