From f6b07c4da54a9db24723beb147e8a19a3d487e00 Mon Sep 17 00:00:00 2001
From: Petr Skoda <commits@skodak.org>
Date: Sat, 6 Aug 2011 15:45:18 +0200
Subject: [PATCH] MDL-27586 fix file_browser access control

---
 lib/filebrowser/file_info_context_course.php | 10 ++++++++++
 lib/filebrowser/file_info_context_module.php | 19 ++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/lib/filebrowser/file_info_context_course.php b/lib/filebrowser/file_info_context_course.php
index df8b0c497fd..14f5283f380 100644
--- a/lib/filebrowser/file_info_context_course.php
+++ b/lib/filebrowser/file_info_context_course.php
@@ -53,10 +53,20 @@ class file_info_context_course extends file_info {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
         if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) {
             return null;
         }
 
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
+            // no peaking here if not enrolled or inspector
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
diff --git a/lib/filebrowser/file_info_context_module.php b/lib/filebrowser/file_info_context_module.php
index e72e3151f53..a8149c677ac 100644
--- a/lib/filebrowser/file_info_context_module.php
+++ b/lib/filebrowser/file_info_context_module.php
@@ -75,11 +75,28 @@ class file_info_context_module extends file_info {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
-        if (!is_enrolled($this->context) and !is_viewing($this->context)) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
+        $coursecontext = get_course_context($this->context);
+        if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) {
+            return null;
+        }
+
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
             // no peaking here if not enrolled or inspector
             return null;
         }
 
+        $modinfo = get_fast_modinfo($this->course);
+        $cminfo = $modinfo->get_cm($this->cm->id);
+        if (!$cminfo->uservisible) {
+            // activity hidden sorry
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
-- 
2.17.1