Permalink
Browse files

MDL-32155 blocks: User can't access file, if block is hidden or doesn…

…'t have block:view capability
  • Loading branch information...
Rajesh Taneja
Rajesh Taneja committed May 18, 2012
1 parent 5a5cdaf commit 34b455fc98756903f25c54dd9f33cd158a4a3645
Showing with 6 additions and 0 deletions.
  1. +6 −0 lib/filelib.php
View
@@ -4080,6 +4080,12 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null) {
// somebody tries to gain illegal access, cm type must match the component!
send_file_not_found();
}
+
+ $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
+ // User can't access file, if block is hidden or doesn't have block:view capability
+ if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
+ send_file_not_found();
+ }
} else {
$birecord = null;
}

0 comments on commit 34b455f

Please sign in to comment.