From f6b07c4da54a9db24723beb147e8a19a3d487e00 Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Sat, 6 Aug 2011 15:45:18 +0200 Subject: [PATCH] MDL-27586 fix file_browser access control --- lib/filebrowser/file_info_context_course.php | 10 ++++++++++ lib/filebrowser/file_info_context_module.php | 19 ++++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/filebrowser/file_info_context_course.php b/lib/filebrowser/file_info_context_course.php index df8b0c497fd..14f5283f380 100644 --- a/lib/filebrowser/file_info_context_course.php +++ b/lib/filebrowser/file_info_context_course.php @@ -53,10 +53,20 @@ class file_info_context_course extends file_info { * @param $filename */ public function get_file_info($component, $filearea, $itemid, $filepath, $filename) { + // try to emulate require_login() tests here + if (!isloggedin()) { + return null; + } + if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) { return null; } + if (!is_viewing($this->context) and !is_enrolled($this->context)) { + // no peaking here if not enrolled or inspector + return null; + } + if (empty($component)) { return $this; } diff --git a/lib/filebrowser/file_info_context_module.php b/lib/filebrowser/file_info_context_module.php index e72e3151f53..a8149c677ac 100644 --- a/lib/filebrowser/file_info_context_module.php +++ b/lib/filebrowser/file_info_context_module.php @@ -75,11 +75,28 @@ class file_info_context_module extends file_info { * @param $filename */ public function get_file_info($component, $filearea, $itemid, $filepath, $filename) { - if (!is_enrolled($this->context) and !is_viewing($this->context)) { + // try to emulate require_login() tests here + if (!isloggedin()) { + return null; + } + + $coursecontext = get_course_context($this->context); + if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) { + return null; + } + + if (!is_viewing($this->context) and !is_enrolled($this->context)) { // no peaking here if not enrolled or inspector return null; } + $modinfo = get_fast_modinfo($this->course); + $cminfo = $modinfo->get_cm($this->cm->id); + if (!$cminfo->uservisible) { + // activity hidden sorry + return null; + } + if (empty($component)) { return $this; } -- 2.43.0