Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-27586 fix file_browser access control

  • Loading branch information...
commit 520f687cdef2183cbeb0baee5a88fb24e2d192d5 1 parent 80eb52c
@skodak skodak authored
View
10 lib/filebrowser/file_info_context_course.php
@@ -53,10 +53,20 @@ public function __construct($browser, $context, $course) {
* @param $filename
*/
public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
+ // try to emulate require_login() tests here
+ if (!isloggedin()) {
+ return null;
+ }
+
if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) {
return null;
}
+ if (!is_viewing($this->context) and !is_enrolled($this->context)) {
+ // no peaking here if not enrolled or inspector
+ return null;
+ }
+
if (empty($component)) {
return $this;
}
View
19 lib/filebrowser/file_info_context_module.php
@@ -75,11 +75,28 @@ public function __construct($browser, $context, $course, $cm, $modname) {
* @param $filename
*/
public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
- if (!is_enrolled($this->context) and !is_viewing($this->context)) {
+ // try to emulate require_login() tests here
+ if (!isloggedin()) {
+ return null;
+ }
+
+ $coursecontext = get_course_context($this->context);
+ if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) {
+ return null;
+ }
+
+ if (!is_viewing($this->context) and !is_enrolled($this->context)) {
// no peaking here if not enrolled or inspector
return null;
}
+ $modinfo = get_fast_modinfo($this->course);
+ $cminfo = $modinfo->get_cm($this->cm->id);
+ if (!$cminfo->uservisible) {
+ // activity hidden sorry
+ return null;
+ }
+
if (empty($component)) {
return $this;
}
Please sign in to comment.
Something went wrong with that request. Please try again.