From 9da3dfa4aca5240f06c8cd3e984bbb0bd5eb80de Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Sat, 5 Jul 2008 14:18:30 +0000
Subject: [PATCH] MDL-13776 assignment attachment access now verified in module
 context; merged from MOODLE_19_STABLE

---
 file.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/file.php b/file.php
index 6772374c076..51cc06247e3 100644
--- a/file.php
+++ b/file.php
@@ -106,10 +106,17 @@
         and (strtolower($args[2]) == 'assignment')) {
 
         $lifetime = 0;  // do not cache assignments, students may reupload them
-        if (!has_capability('mod/assignment:grade', get_context_instance(CONTEXT_COURSE, $course->id))
-          and $args[4] != $USER->id) {
-           print_error('nopermissions');
-        }
+        if ($args[4] == $USER->id) {
+            //can view own assignemnt submissions
+        } else {
+            $instance = (int)$args[3];
+            if (!$cm = get_coursemodule_from_instance('assignment', $instance, $course->id)) {
+                not_found($course->id);
+            }
+            if (!has_capability('mod/assignment:grade', get_context_instance(CONTEXT_MODULE, $cm->id))) {
+                print_error('nopermissions');
+            }
+        } 
     }
 
     // security: force download of all attachments submitted by students