From c58c05ad4f22c6ee1e136a7d4caaddd809a7134d Mon Sep 17 00:00:00 2001
From: Rajesh Taneja <rajesh@moodle.com>
Date: Fri, 18 May 2012 14:55:32 +0800
Subject: [PATCH] MDL-32155 blocks: User can't access file, if block is hidden
 or doesn't have block:view capability

---
 lib/filelib.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/filelib.php b/lib/filelib.php
index ea169cce4ba..92565f988ea 100644
--- a/lib/filelib.php
+++ b/lib/filelib.php
@@ -3898,6 +3898,12 @@ function file_pluginfile($relativepath, $forcedownload) {
                 // somebody tries to gain illegal access, cm type must match the component!
                 send_file_not_found();
             }
+
+            $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
+            // User can't access file, if block is hidden or doesn't have block:view capability
+            if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
+                 send_file_not_found();
+            }
         } else {
             $birecord = null;
         }
-- 
2.17.1