MDL-27586 fix file_browser access control
authorPetr Skoda <commits@skodak.org>
Sat, 6 Aug 2011 13:45:18 +0000 (15:45 +0200)
committerPetr Skoda <commits@skodak.org>
Sat, 6 Aug 2011 13:45:18 +0000 (15:45 +0200)
lib/filebrowser/file_info_context_course.php
lib/filebrowser/file_info_context_module.php

index df8b0c4..14f5283 100644 (file)
@@ -53,10 +53,20 @@ class file_info_context_course extends file_info {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
         if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) {
             return null;
         }
 
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
+            // no peaking here if not enrolled or inspector
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
index e72e315..a8149c6 100644 (file)
@@ -75,11 +75,28 @@ class file_info_context_module extends file_info {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
-        if (!is_enrolled($this->context) and !is_viewing($this->context)) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
+        $coursecontext = get_course_context($this->context);
+        if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) {
+            return null;
+        }
+
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
             // no peaking here if not enrolled or inspector
             return null;
         }
 
+        $modinfo = get_fast_modinfo($this->course);
+        $cminfo = $modinfo->get_cm($this->cm->id);
+        if (!$cminfo->uservisible) {
+            // activity hidden sorry
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }