From 288c8cb7f1583e0ee93dfc0ca1efc8ed3ff1b96a Mon Sep 17 00:00:00 2001
From: Ben Kelada <ben.kelada@open.edu.au>
Date: Mon, 23 Nov 2015 11:59:56 +1100
Subject: [PATCH] MDL-52261 filelib: Do login check for files in blocks

---
 lib/filelib.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/filelib.php b/lib/filelib.php
index 4da13f28dc7..4b1e7e80fbf 100644
--- a/lib/filelib.php
+++ b/lib/filelib.php
@@ -4506,6 +4506,14 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null) {
                 send_file_not_found();
             }
 
+            if ($context->get_course_context(false)) {
+                // If block is in course context, then check if user has capability to access course.
+                require_course_login($course);
+            } else if ($CFG->forcelogin) {
+                // If user is logged out, bp record will not be visible, even if the user would have access if logged in.
+                require_login();
+            }
+
             $bprecord = $DB->get_record('block_positions', array('contextid' => $context->id, 'blockinstanceid' => $context->instanceid));
             // User can't access file, if block is hidden or doesn't have block:view capability
             if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
-- 
2.36.1