From cf0b9432d81ba9d5763e4894f82c95ca9fbf548f Mon Sep 17 00:00:00 2001 From: Tim Hunt Date: Mon, 26 Sep 2016 19:46:22 +0100 Subject: [PATCH] MDL-53744 question file access: fix access checks --- question/type/essay/question.php | 2 +- question/type/questionbase.php | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/question/type/essay/question.php b/question/type/essay/question.php index d6c2b694369..a14b06ab759 100644 --- a/question/type/essay/question.php +++ b/question/type/essay/question.php @@ -140,7 +140,7 @@ class qtype_essay_question extends question_with_responses { return $this->responseformat === 'editorfilepicker'; } else if ($component == 'qtype_essay' && $filearea == 'graderinfo') { - return $options->manualcomment; + return $options->manualcomment && $args[0] == $this->id; } else { return parent::check_file_access($qa, $options, $component, diff --git a/question/type/questionbase.php b/question/type/questionbase.php index 31c36f0b96d..879381e91dc 100644 --- a/question/type/questionbase.php +++ b/question/type/questionbase.php @@ -413,11 +413,11 @@ abstract class question_definition { */ public function check_file_access($qa, $options, $component, $filearea, $args, $forcedownload) { if ($component == 'question' && $filearea == 'questiontext') { - // Question text always visible. - return true; + // Question text always visible, but check it is the right question id. + return $args[0] == $this->id; } else if ($component == 'question' && $filearea == 'generalfeedback') { - return $options->generalfeedback; + return $options->generalfeedback && $args[0] == $this->id; } else { // Unrecognised component or filearea. @@ -681,7 +681,8 @@ abstract class question_graded_automatically extends question_with_responses list($notused, $state) = $this->grade_response($response); } - return $options->feedback && $state->get_feedback_class() . 'feedback' == $filearea; + return $options->feedback && $state->get_feedback_class() . 'feedback' == $filearea && + $args[0] == $this->id; } /**