Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-32155 blocks: User can't access file, if block is hidden or doesn…

…'t have block:view capability
  • Loading branch information...
commit 38d13c23f10d0f4d4993bcf498536a8fa54c790f 1 parent 2ddb941
@rajeshtaneja rajeshtaneja authored
Showing with 6 additions and 0 deletions.
  1. +6 −0 pluginfile.php
View
6 pluginfile.php
@@ -732,6 +732,12 @@
// somebody tries to gain illegal access, cm type must match the component!
send_file_not_found();
}
+
+ $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
+ // User can't access file, if block is hidden or doesn't have block:view capability
+ if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
+ send_file_not_found();
+ }
} else {
$birecord = null;
}
Please sign in to comment.
Something went wrong with that request. Please try again.