Commit 9a2519b8 authored by Son Nguyen's avatar Son Nguyen
Browse files

Fix the accessibility to public site files (Bug 1224750)



Change-Id: I04eec56e705932d38da4968e1ddc692dcc00b515
Signed-off-by: default avatarSon Nguyen <son.nguyen@catalyst.net.nz>
parent 12fe2696
......@@ -580,7 +580,7 @@ class PluginBlocktypeGallery extends PluginBlocktype {
if (!empty($values['images'])) {
foreach ($values['images'] as $id) {
$image = new ArtefactTypeImage($id);
if (!($image instanceof ArtefactTypeImage) || !$USER->can_publish_artefact($image)) {
if (!($image instanceof ArtefactTypeImage) || !$USER->can_view_artefact($image)) {
$result['message'] = get_string('unrecoverableerror', 'error');
$form->set_error(null, $result['message']);
$form->reply(PIEFORM_ERR, $result);
......@@ -590,7 +590,7 @@ class PluginBlocktypeGallery extends PluginBlocktype {
if (!empty($values['folder'])) {
$folder = artefact_instance_from_id($values['folder']);
if (!($folder instanceof ArtefactTypeFolder) || !$USER->can_publish_artefact($folder)) {
if (!($folder instanceof ArtefactTypeFolder) || !$USER->can_view_artefact($folder)) {
$result['message'] = get_string('unrecoverableerror', 'error');
$form->set_error(null, $result['message']);
$form->reply(PIEFORM_ERR, $result);
......
......@@ -985,6 +985,16 @@ class User {
public function can_view_artefact($a) {
global $USER;
// Files in the public site folder and its subfolders
if ($a instanceof ArtefactTypeFileBase) {
$publicfolderid = ArtefactTypeFolder::admin_public_folder_id();
$fileispublic = ($a->get('id') == $publicfolderid)
|| (($a->get('institution') == 'mahara') && (bool)get_field('artefact_parent_cache', 'artefact', 'artefact', $a->get('id'), 'parent', $publicfolderid));
if ($fileispublic) {
return true;
}
}
$parent = $a->get_parent_instance();
if ($parent) {
if (!$this->can_view_artefact($parent)) {
......
......@@ -506,7 +506,7 @@ class BlockInstance {
if (is_array($id)) {
foreach ($id as $id) {
$file = artefact_instance_from_id($id);
if (!$USER->can_publish_artefact($file)) {
if (!$USER->can_view_artefact($file)) {
// bail out now as at least one attachment is bad
return false;
}
......@@ -514,7 +514,7 @@ class BlockInstance {
}
else {
$file = artefact_instance_from_id($id);
if (!$USER->can_publish_artefact($file)) {
if (!$USER->can_view_artefact($file)) {
return false;
}
}
......
......@@ -90,7 +90,7 @@ function pieform_element_filebrowser(Pieform $form, $element) {
foreach ($value as $k => $v) {
$file = artefact_instance_from_id($v);
if ((!($file instanceof ArtefactTypeFile) && !($file instanceof ArtefactTypeFolder))
|| !$USER->can_publish_artefact($file)) {
|| !$USER->can_view_artefact($file)) {
unset($value[$k]);
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment