From c58c05ad4f22c6ee1e136a7d4caaddd809a7134d Mon Sep 17 00:00:00 2001 From: Rajesh Taneja Date: Fri, 18 May 2012 14:55:32 +0800 Subject: [PATCH] MDL-32155 blocks: User can't access file, if block is hidden or doesn't have block:view capability --- lib/filelib.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/filelib.php b/lib/filelib.php index ea169cce4ba..92565f988ea 100644 --- a/lib/filelib.php +++ b/lib/filelib.php @@ -3898,6 +3898,12 @@ function file_pluginfile($relativepath, $forcedownload) { // somebody tries to gain illegal access, cm type must match the component! send_file_not_found(); } + + $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible'); + // User can't access file, if block is hidden or doesn't have block:view capability + if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) { + send_file_not_found(); + } } else { $birecord = null; } -- 2.43.0