MDL-22991, repository recent plugin, verify file ownership before copy to draft area
authorDongsheng Cai <unoter@gmail.com>
Fri, 9 Jul 2010 06:13:47 +0000 (06:13 +0000)
committerDongsheng Cai <unoter@gmail.com>
Fri, 9 Jul 2010 06:13:47 +0000 (06:13 +0000)
lang/en/repository.php
repository/recent/lib.php

index 07181de..6ad9b63 100644 (file)
@@ -84,6 +84,7 @@ $string['enter'] = 'Enter';
 $string['entername'] = 'Please enter folder name';
 $string['enternewname'] = 'Please enter the new file name';
 $string['error'] = 'An unknown error occurred!';
+$string['errornotyourfile'] = 'You cannot pick file which is not added by your';
 $string['existingrepository'] = 'This repository already exists';
 $string['federatedsearch'] = 'Federated search';
 $string['filename'] = 'Filename';
index 53ee42b..e3e1fed 100755 (executable)
@@ -182,6 +182,9 @@ class repository_recent extends repository {
         // To get 'recent' plugin working, we need to use lower level file_stoarge class to bypass the
         // capability check, we will use a better workaround to improve it.
         if ($stored_file = $fs->get_file($contextid, $component, $filearea, $fileitemid, $filepath, $filename)) {
+            if ($USER->id != $stored_file->get_userid()) {
+                throw new moodle_exception('errornotyourfile', 'repository');
+            }
             $file_record = array('contextid'=>$user_context->id, 'component'=>'user', 'filearea'=>'draft',
                 'itemid'=>$new_itemid, 'filepath'=>$new_filepath, 'filename'=>$new_filename);
             if ($file = $fs->get_file($user_context->id, 'user', 'draft', $new_itemid, $new_filepath, $new_filename)) {