From 1adcd6f5a1651c63ae9a0ca77195baf74a117aa9 Mon Sep 17 00:00:00 2001 From: Gareth Barnard <1058419+gjb2048@users.noreply.github.com> Date: Wed, 28 Aug 2024 18:07:45 +0100 Subject: [PATCH] Ensure correct context. --- lib.php | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/lib.php b/lib.php index bd157d0..0e9270f 100644 --- a/lib.php +++ b/lib.php @@ -801,24 +801,28 @@ function format_vsf_pluginfile($course, $cm, $context, $filearea, $args, $forced send_file_not_found(); } - // Leave this line out if you set the itemid to null in make_pluginfile_url (set $itemid to 0 instead). - $itemid = array_shift($args); // The first item in the $args array. - // Use the itemid to retrieve any relevant data records and perform any security checks to see if the - // user really does have access to the file in question. - // Extract the filename / filepath from the $args array. - $filename = array_pop($args); // The last item in the $args array. - if (!$args) { - $filepath = '/'; - } else { - $filepath = '/' . implode('/', $args) . '/'; - } + if ($context->contextlevel == CONTEXT_MODULE) { + // Leave this line out if you set the itemid to null in make_pluginfile_url (set $itemid to 0 instead). + $itemid = array_shift($args); // The first item in the $args array. + // Use the itemid to retrieve any relevant data records and perform any security checks to see if the + // user really does have access to the file in question. + // Extract the filename / filepath from the $args array. + $filename = array_pop($args); // The last item in the $args array. + if (!$args) { + $filepath = '/'; + } else { + $filepath = '/' . implode('/', $args) . '/'; + } - // Retrieve the file from the Files API. - $fs = get_file_storage(); - $file = $fs->get_file($context->id, 'format_vsf', $filearea, $itemid, $filepath, $filename); - if (!$file) { - send_file_not_found(); // The file does not exist. - } + // Retrieve the file from the Files API. + $fs = get_file_storage(); + $file = $fs->get_file($context->id, 'format_vsf', $filearea, $itemid, $filepath, $filename); + if (!$file) { + send_file_not_found(); // The file does not exist. + } - send_stored_file($file, null, 0, $forcedownload, $options); + send_stored_file($file, null, 0, $forcedownload, $options); + } else { + send_file_not_found(); + } }