From 5ad8935f456fa49614e2886e2f9770c3f756d35e Mon Sep 17 00:00:00 2001 From: Rajesh Taneja Date: Mon, 15 Oct 2012 16:26:17 +0800 Subject: [PATCH] MDL-29762 Blocks: Modified checks to show image in html block --- blocks/html/lib.php | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/blocks/html/lib.php b/blocks/html/lib.php index 03d58ca27ceee..58de649618acc 100644 --- a/blocks/html/lib.php +++ b/blocks/html/lib.php @@ -30,15 +30,32 @@ * @param bool $forcedownload whether or not force download * @param array $options additional options affecting the file serving * @return bool + * @todo MDL-36050 improve capability check on stick blocks, so we can check user capability before sending images. */ function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload, array $options=array()) { - global $SCRIPT; + global $DB, $CFG; if ($context->contextlevel != CONTEXT_BLOCK) { send_file_not_found(); } - require_course_login($course); + // If block is in course context, then check if user has capability to access course. + if ($context->get_course_context(false)) { + require_course_login($course); + } else if ($CFG->forcelogin) { + require_login(); + } else { + // Get parent context and see if user have proper permission. + $parentcontext = $context->get_parent_context(); + if ($parentcontext->contextlevel === CONTEXT_COURSECAT) { + // Check if category is visible and user can view this category. + $category = $DB->get_record('course_categories', array('id' => $parentcontext->instanceid), '*', MUST_EXIST); + if (!$category->visible) { + require_capability('moodle/category:viewhiddencategories', $parentcontext); + } + } + // At this point there is no way to check SYSTEM or USER context, so ignoring it. + } if ($filearea !== 'content') { send_file_not_found();