WebSVN – Moodle – Diff – /blocks/html/lib.php

  * @param array $options additional options affecting the file serving
  * @return bool
  * @todo MDL-36050 improve capability check on stick blocks, so we can check user capability before sending images.
  */
 function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload, array $options=array()) {
-    global $DB, $CFG, $USER;
+    global $CFG;
+    require_once("{$CFG->dirroot}/user/lib.php");
     if ($context->contextlevel != CONTEXT_BLOCK) {
         send_file_not_found();
         if ($parentcontext->contextlevel === CONTEXT_COURSECAT) {
             // Check if category is visible and user can view this category.
             if (!core_course_category::get($parentcontext->instanceid, IGNORE_MISSING)) {
                 send_file_not_found();
+            }
-        } else if ($parentcontext->contextlevel === CONTEXT_USER && $parentcontext->instanceid != $USER->id) {
+        } else if ($parentcontext->contextlevel === CONTEXT_USER) {
+            $user = core_user::get_user($parentcontext->instanceid, '*', MUST_EXIST);
-            // The block is in the context of a user, it is only visible to the user who it belongs to.
+            $extracaps = block_method_result('html', 'get_extra_capabilities');
+            if (!user_can_view_profile($user, null, $parentcontext) || !has_any_capability($extracaps, $context)) {
-            send_file_not_found();
+                send_file_not_found();
+            }
+        }
         // At this point there is no way to check SYSTEM context, so ignoring it.
+    }

Proyectos de Subversion Moodle

(root)/blocks/html/lib.php – Rev 1 → 1441