Commit 335ea6eb authored by Nigel McNie's avatar Nigel McNie
Browse files

Forbid the file downloading script from serving artefacts it does not know anything about.

parent 0c373122
......@@ -45,6 +45,9 @@ if ($viewid && $fileid) {
}
$file = artefact_instance_from_id($fileid);
if (!($file instanceof ArtefactTypeFile)) {
throw new NotFoundException();
}
$path = $file->get_path(array('size' => $size));
$title = $file->download_title();
serve_file($path, $title);
......@@ -52,6 +55,9 @@ if ($viewid && $fileid) {
// We just have a file ID
$file = artefact_instance_from_id($fileid);
if (!($file instanceof ArtefactTypeFile)) {
throw new NotFoundException();
}
// If the file is in the public directory, it's fine to serve
$fileispublic = $file->get('parent') == ArtefactTypeFolder::admin_public_folder_id();
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment