From 288c8cb7f1583e0ee93dfc0ca1efc8ed3ff1b96a Mon Sep 17 00:00:00 2001 From: Ben Kelada Date: Mon, 23 Nov 2015 11:59:56 +1100 Subject: [PATCH] MDL-52261 filelib: Do login check for files in blocks --- lib/filelib.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/filelib.php b/lib/filelib.php index 4da13f28dc7..4b1e7e80fbf 100644 --- a/lib/filelib.php +++ b/lib/filelib.php @@ -4506,6 +4506,14 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null) { send_file_not_found(); } + if ($context->get_course_context(false)) { + // If block is in course context, then check if user has capability to access course. + require_course_login($course); + } else if ($CFG->forcelogin) { + // If user is logged out, bp record will not be visible, even if the user would have access if logged in. + require_login(); + } + $bprecord = $DB->get_record('block_positions', array('contextid' => $context->id, 'blockinstanceid' => $context->instanceid)); // User can't access file, if block is hidden or doesn't have block:view capability if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) { -- 2.43.0