Commit 7dde3951 authored by Robert Lyon's avatar Robert Lyon

Bug 1600069: Able to see profile icon when you don't have access to it

behatnotneeded

Change-Id: I6b114ec554ceea0bc1d74009959a4e82a455af16
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent aeb91f9e
......@@ -57,7 +57,7 @@ class PluginBlocktypeFiledownload extends PluginBlocktype {
);
if ($artefact instanceof ArtefactTypeProfileIcon) {
$file['downloadurl'] .= 'thumb.php?type=profileiconbyid&id=' . $artefactid;
$file['downloadurl'] .= 'thumb.php?type=profileiconbyid&id=' . $artefactid . '&view=' . $viewid;
}
else if ($artefact instanceof ArtefactTypeFile) {
$file['downloadurl'] .= 'artefact/file/download.php?file=' . $artefactid . '&view=' . $viewid;
......
......@@ -355,6 +355,7 @@ class PluginBlocktypeGallery extends PluginBlocktype {
if ($image instanceof ArtefactTypeProfileIcon) {
$src = get_config('wwwroot') . 'thumb.php?type=profileiconbyid&id=' . $artefactid;
$src .= '&view=' . $instance->get('view');
$description = $image->get('title');
}
else if ($image instanceof ArtefactTypeImage) {
......
......@@ -45,7 +45,7 @@ class PluginBlocktypeImage extends PluginBlocktype {
$viewid = $instance->get('view');
if ($image instanceof ArtefactTypeProfileIcon) {
$src = $wwwroot . 'thumb.php?type=profileiconbyid&id=' . $id;
$src = $wwwroot . 'thumb.php?type=profileiconbyid&id=' . $id . '&view=' . $viewid;
$description = $image->get('title');
}
else {
......
......@@ -2374,6 +2374,9 @@ class ArtefactTypeProfileIcon extends ArtefactTypeImage {
public static function get_icon($options=null) {
$url = get_config('wwwroot') . 'thumb.php?type=profileiconbyid&id=' . hsc($options['id']);
if (isset($options['viewid'])) {
$url .= '&view=' . $options['viewid'];
}
if (isset($options['size'])) {
$url .= '&size=' . $options['size'];
}
......
......@@ -86,7 +86,7 @@ class PluginBlocktypeProfileinfo extends PluginBlocktype {
// Work out the path to the thumbnail for the profile image
if (!empty($configdata['profileicon'])) {
$downloadpath = get_config('wwwroot') . 'thumb.php?type=profileiconbyid&id=' . $configdata['profileicon'];
$downloadpath = get_config('wwwroot') . 'thumb.php?type=profileiconbyid&id=' . $configdata['profileicon'] . '&view=' . $instance->get('view');
$downloadpath .= '&maxwidth=80';
$smarty->assign('profileiconpath', $downloadpath);
$smarty->assign('profileiconalt', get_string('profileimagetext', 'mahara', display_default_name(get_user($viewowner))));
......
......@@ -2657,6 +2657,7 @@ function _get_views_trim_list(&$list, &$users, $limit, &$results) {
*/
function artefact_in_view($artefact, $view) {
if (!is_object($artefact)) {
require_once(get_config('docroot') . 'artefact/lib.php');
$artefact = artefact_instance_from_id($artefact);
}
......
......@@ -48,6 +48,25 @@ switch ($type) {
}
if ($id && $fileid = get_field('artefact_file_files', 'fileid', 'artefact', $id)) {
// Check that the profile icon is allowed to be seen
// Any profileiconbyid file that has been set as a user's default icon is ok
// But icons that are not should only be seen by their owner
// Unless that owner places them in a view that the user can see
if ($type == 'profileiconbyid' && !get_field('usr', 'id', 'profileicon', $id)) {
$viewid = param_integer('view', 0);
$ok = false;
if ($viewid) {
$ok = artefact_in_view($id, $viewid);
}
if (!$ok) {
if (
($USER && !$USER->is_logged_in()) ||
($USER->is_logged_in() && $USER->get('id') != get_field('artefact', 'owner', 'id', $id))
) {
exit;
}
}
}
if ($path = get_dataroot_image_path('artefact/file/profileicons', $fileid, $size)) {
if ($mimetype) {
header('Content-type: ' . $mimetype);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment