mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 22:08:20 +01:00
Code Issues Projects Releases Wiki Activity

MDL-70638 user: correct access checks when serving profile files.

Browse Source 
Requests for files from a users profile file area should follow
the same access checks as for the profile itself.
This commit is contained in:
Paul Holden 2021-06-10 23:29:44 +01:00
parent 3610f1ee3b
commit 4f343bd359
1 changed files with 12 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
lib/filelib.php
View File

@ -4649,34 +4649,16 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null, $offlin
$userid = $context->instanceid;
if ($USER->id == $userid) {
// always can access own
if (!empty($CFG->forceloginforprofiles)) {
require_once("{$CFG->dirroot}/user/lib.php");
} else if (!empty($CFG->forceloginforprofiles)) {
require_login();
if (isguestuser()) {
// Verify the current user is able to view the profile of the supplied user anywhere.
$user = core_user::get_user($userid);
if (!user_can_view_profile($user, null, $context)) {
send_file_not_found();
}
// we allow access to site profile of all course contacts (usually teachers)
if (!has_coursecontact_role($userid) && !has_capability('moodle/user:viewdetails', $context)) {
send_file_not_found();
}
$canview = false;
if (has_capability('moodle/user:viewdetails', $context)) {
$canview = true;
} else {
$courses = enrol_get_my_courses();
}
while (!$canview && count($courses) > 0) {
$course = array_shift($courses);
if (has_capability('moodle/user:viewdetails', context_course::instance($course->id))) {
$canview = true;
}
}
}
$filename = array_pop($args);
@ -4697,23 +4679,14 @@ function file_pluginfile($relativepath, $forcedownload, $preview = null, $offlin
}
if (!empty($CFG->forceloginforprofiles)) {
require_login();
if (isguestuser()) {
print_error('noguest');
}
require_once("{$CFG->dirroot}/user/lib.php");
//TODO: review this logic of user profile access prevention
if (!has_coursecontact_role($userid) and !has_capability('moodle/user:viewdetails', $usercontext)) {
print_error('usernotavailable');
}
if (!has_capability('moodle/user:viewdetails', $context) && !has_capability('moodle/user:viewdetails', $usercontext)) {
print_error('cannotviewprofile');
}
if (!is_enrolled($context, $userid)) {
print_error('notenrolledprofile');
}
if (groups_get_course_groupmode($course) == SEPARATEGROUPS and !has_capability('moodle/site:accessallgroups', $context)) {
print_error('groupnotamember');
require_login();
// Verify the current user is able to view the profile of the supplied user in current course.
$user = core_user::get_user($userid);
if (!user_can_view_profile($user, $course, $usercontext)) {
send_file_not_found();
}
}