Skip to content

Commit

Permalink
MDL-32155 blocks: User can't access file, if block is hidden or doesn…
Browse files Browse the repository at this point in the history 
…'t have block:view capability
  • Loading branch information
Rajesh Taneja committed May 23, 2012
1 parent 14fdcb4 commit c58c05a
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions lib/filelib.php
View file
Expand Up @@ -3898,6 +3898,12 @@ function file_pluginfile($relativepath, $forcedownload) {
// somebody tries to gain illegal access, cm type must match the component! // somebody tries to gain illegal access, cm type must match the component!
send_file_not_found(); send_file_not_found();
} }

$bprecord = $DB->get_record('block_positions', array('blockinstanceid' => $context->instanceid), 'visible');
// User can't access file, if block is hidden or doesn't have block:view capability
if (($bprecord && !$bprecord->visible) || !has_capability('moodle/block:view', $context)) {
send_file_not_found();
}
} else { } else {
$birecord = null; $birecord = null;
} }
Expand Down

0 comments on commit c58c05a

Please sign in to comment.