moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-08 10:26:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-43877 blocks: Files from blocks in my/ were accessible to the world

Browse source
This commit is contained in:
Frederic Massart 2014-03-20 16:14:03 +08:00 committed by Dan Poltawski
parent 333e42243c
commit 568514ee7f
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
blocks/html/lib.php
View file

@ -33,7 +33,7 @@
* @todo MDL-36050 improve capability check on stick blocks, so we can check user capability before sending images. * @todo MDL-36050 improve capability check on stick blocks, so we can check user capability before sending images.
*/ */
function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload, array $options=array()) { function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload, array $options=array()) {
global $DB, $CFG; global $DB, $CFG, $USER;
if ($context->contextlevel != CONTEXT_BLOCK) { if ($context->contextlevel != CONTEXT_BLOCK) {
send_file_not_found(); send_file_not_found();
@ -53,8 +53,11 @@ function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $a
if (!$category->visible) { if (!$category->visible) {
require_capability('moodle/category:viewhiddencategories', $parentcontext); require_capability('moodle/category:viewhiddencategories', $parentcontext);
} }
} else if ($parentcontext->contextlevel === CONTEXT_USER && $parentcontext->instanceid != $USER->id) {
// The block is in the context of a user, it is only visible to the user who it belongs to.
send_file_not_found();
} }
// At this point there is no way to check SYSTEM or USER context, so ignoring it. // At this point there is no way to check SYSTEM context, so ignoring it.
} }
if ($filearea !== 'content') { if ($filearea !== 'content') {