Permalink
Browse files

Merge branch 'wip-mdl-29762-m23' of git://github.com/rajeshtaneja/moo…

…dle into MOODLE_23_STABLE
  • Loading branch information...
2 parents 046c987 + 672bea4 commit 5aa4e27404ec3ae1e6b433d038467c0f70a86289 @danpoltawski danpoltawski committed Oct 31, 2012
Showing with 19 additions and 2 deletions.
  1. +19 −2 blocks/html/lib.php
View
@@ -30,15 +30,32 @@
* @param bool $forcedownload whether or not force download
* @param array $options additional options affecting the file serving
* @return bool
+ * @todo MDL-36050 improve capability check on stick blocks, so we can check user capability before sending images.
*/
function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload, array $options=array()) {
- global $SCRIPT;
+ global $DB, $CFG;
if ($context->contextlevel != CONTEXT_BLOCK) {
send_file_not_found();
}
- require_course_login($course);
+ // If block is in course context, then check if user has capability to access course.
+ if ($context->get_course_context(false)) {
+ require_course_login($course);
+ } else if ($CFG->forcelogin) {
+ require_login();
+ } else {
+ // Get parent context and see if user have proper permission.
+ $parentcontext = $context->get_parent_context();
+ if ($parentcontext->contextlevel === CONTEXT_COURSECAT) {
+ // Check if category is visible and user can view this category.
+ $category = $DB->get_record('course_categories', array('id' => $parentcontext->instanceid), '*', MUST_EXIST);
+ if (!$category->visible) {
+ require_capability('moodle/category:viewhiddencategories', $parentcontext);
+ }
+ }
+ // At this point there is no way to check SYSTEM or USER context, so ignoring it.
+ }
if ($filearea !== 'content') {
send_file_not_found();

0 comments on commit 5aa4e27

Please sign in to comment.