MDL-62232 mod_forum: Limit portfolio to files belonging to the post

author Adam Olley <adam.olley@blackboard.com>

Mon, 30 Apr 2018 03:27:24 +0000 (12:57 +0930)

committer Jun Pataleta <jun@moodle.com>

Thu, 10 May 2018 01:15:57 +0000 (09:15 +0800)
author Adam Olley <adam.olley@blackboard.com>
Mon, 30 Apr 2018 03:27:24 +0000 (12:57 +0930)
committer Jun Pataleta <jun@moodle.com>
Thu, 10 May 2018 01:15:57 +0000 (09:15 +0800)
diff --git a/mod/forum/locallib.php b/mod/forum/locallib.php

index b446d27..6f57004 100644 (file)
--- a/mod/forum/locallib.php
+++ b/mod/forum/locallib.php
@@ -95,6 +95,12 @@ class forum_portfolio_caller extends portfolio_module_caller_base {
          $fs = get_file_storage();
          if ($this->post) {
              if ($this->attachment) {
+                // Make sure the requested file belongs to this post.
+                $file = $fs->get_file_by_id($this->attachment);
+                if ($file->get_contextid() != $this->modcontext->id
+                    || $file->get_itemid() != $this->post->id) {
+                    throw new portfolio_caller_exception('filenotfound');
+                }
                  $this->set_file_and_format_data($this->attachment);
              } else {
                  $attach = $fs->get_area_files($this->modcontext->id, 'mod_forum', 'attachment', $this->post->id, 'timemodified', false);
author	Adam Olley <adam.olley@blackboard.com>
	Mon, 30 Apr 2018 03:27:24 +0000 (12:57 +0930)
committer	Jun Pataleta <jun@moodle.com>
	Thu, 10 May 2018 01:15:57 +0000 (09:15 +0800)