MDL-43877 blocks: Files from blocks in my/ were accessible to the world

author Frederic Massart <fred@moodle.com>

Thu, 20 Mar 2014 08:14:03 +0000 (16:14 +0800)

committer Dan Poltawski <dan@moodle.com>

Wed, 7 May 2014 06:27:11 +0000 (14:27 +0800)
author Frederic Massart <fred@moodle.com>
Thu, 20 Mar 2014 08:14:03 +0000 (16:14 +0800)
committer Dan Poltawski <dan@moodle.com>
Wed, 7 May 2014 06:27:11 +0000 (14:27 +0800)
diff --git a/blocks/html/lib.php b/blocks/html/lib.php

index 5c9327a..531a32a 100644 (file)
--- a/blocks/html/lib.php
+++ b/blocks/html/lib.php
@@ -32,7 +32,7 @@
   * @todo MDL-36050 improve capability check on stick blocks, so we can check user capability before sending images.
   */
  function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload, array $options=array()) {
-    global $DB, $CFG;
+    global $DB, $CFG, $USER;
  
      if ($context->contextlevel != CONTEXT_BLOCK) {
          send_file_not_found();
@@ -52,8 +52,11 @@ function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $a
              if (!$category->visible) {
                  require_capability('moodle/category:viewhiddencategories', $parentcontext);
              }
+        } else if ($parentcontext->contextlevel === CONTEXT_USER && $parentcontext->instanceid != $USER->id) {
+            // The block is in the context of a user, it is only visible to the user who it belongs to.
+            send_file_not_found();
          }
-        // At this point there is no way to check SYSTEM or USER context, so ignoring it.
+        // At this point there is no way to check SYSTEM context, so ignoring it.
      }
  
      if ($filearea !== 'content') {
author	Frederic Massart <fred@moodle.com>
	Thu, 20 Mar 2014 08:14:03 +0000 (16:14 +0800)
committer	Dan Poltawski <dan@moodle.com>
	Wed, 7 May 2014 06:27:11 +0000 (14:27 +0800)