Permalink
Browse files

MDL-32155 blocks: User can't access file, if block is hidden or doesn…

…'t have block:view capability
  • Loading branch information...
1 parent 14fdcb4 commit c58c05ad4f22c6ee1e136a7d4caaddd809a7134d Rajesh Taneja committed May 18, 2012
Showing with 6 additions and 0 deletions.
  1. +6 −0 lib/filelib.php
View
@@ -3898,6 +3898,12 @@ function file_pluginfile($relativepath, $forcedownload) {
// somebody tries to gain illegal access, cm type must match the component!
send_file_not_found();
}
+
+ $bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
+ // User can't access file, if block is hidden or doesn't have block:view capability
+ if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
+ send_file_not_found();
+ }
} else {
$birecord = null;
}

0 comments on commit c58c05a

Please sign in to comment.