Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

MDL-32155 blocks: User can't access file, if block is hidden or doesn…

…'t have block:view capability
  • Loading branch information...
commit 38d13c23f10d0f4d4993bcf498536a8fa54c790f 1 parent 2ddb941
Rajesh Taneja authored May 23, 2012

Showing 1 changed file with 6 additions and 0 deletions. Show diff stats Hide diff stats

  1. 6  pluginfile.php
6  pluginfile.php
@@ -732,6 +732,12 @@
732 732
             // somebody tries to gain illegal access, cm type must match the component!
733 733
             send_file_not_found();
734 734
         }
  735
+
  736
+        $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
  737
+        // User can't access file, if block is hidden or doesn't have block:view capability
  738
+        if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
  739
+                send_file_not_found();
  740
+        }
735 741
     } else {
736 742
         $birecord = null;
737 743
     }

0 notes on commit 38d13c2

Please sign in to comment.
Something went wrong with that request. Please try again.