MDL-32638 workshop_pluginfile() checks for access rights to get the s…

…ubmission files
yousuftafhim · Apr 27, 2012 · 7528e23 · 7528e23
1 parent 92039f1
commit 7528e23
Showing 1 changed file with 32 additions and 6 deletions.
diff --git a/mod/workshop/lib.php b/mod/workshop/lib.php
@@ -1212,10 +1212,8 @@ function workshop_get_file_areas($course, $cm, $context) {
  *
  * Apart from module intro (handled by pluginfile.php automatically), workshop files may be
  * media inserted into submission content (like images) and submission attachments. For these two,
- * the fileareas workshop_submission_content and workshop_submission_attachment are used.
- * The access rights to the files are checked here. The user must be either a peer-reviewer
- * of the submission or have capability ... (todo) to access the submission files.
- * Besides that, areas workshop_instructauthors and mod_workshop instructreviewers contain the media
+ * the fileareas submission_content and submission_attachment are used.
+ * Besides that, areas instructauthors and instructreviewers contain the media
  * embedded using the mod_form.php.
  *
  * @package  mod_workshop
@@ -1231,7 +1229,7 @@ function workshop_get_file_areas($course, $cm, $context) {
  * @return bool false if the file not found, just send the file otherwise and do not return anything
  */
 function workshop_pluginfile($course, $cm, $context, $filearea, array $args, $forcedownload, array $options=array()) {
-    global $DB, $CFG;
+    global $DB, $CFG, $USER;
 
     if ($context->contextlevel != CONTEXT_MODULE) {
         return false;
@@ -1278,7 +1276,35 @@ function workshop_pluginfile($course, $cm, $context, $filearea, array $args, $fo
         if (!$submission = $DB->get_record('workshop_submissions', array('id' => $itemid, 'workshopid' => $workshop->id))) {
             return false;
         }
-        // TODO now make sure the user is allowed to see the file
+
+        // make sure the user is allowed to see the file
+        if (empty($submission->example)) {
+            if ($USER->id != $submission->authorid) {
+                if (!$DB->record_exists('workshop_assessments', array('submissionid' => $submission->id, 'reviewerid' => $USER->id))) {
+                    if (!has_capability('mod/workshop:viewallsubmissions', $context)) {
+                        send_file_not_found();
+                    } else {
+                        $gmode = groups_get_activity_groupmode($cm, $course);
+                        if ($gmode == SEPARATEGROUPS and !has_capability('moodle/site:accessallgroups', $context)) {
+                            // check there is at least one common group with both the $USER
+                            // and the submission author
+                            $sql = "SELECT 'x'
+                                      FROM {workshop_submissions} s
+                                      JOIN {user} a ON (a.id = s.authorid)
+                                      JOIN {groups_members} agm ON (a.id = agm.userid)
+                                      JOIN {user} u ON (u.id = ?)
+                                      JOIN {groups_members} ugm ON (u.id = ugm.userid)
+                                     WHERE s.example = 0 AND s.workshopid = ? AND s.id = ? AND agm.groupid = ugm.groupid";
+                            $params = array($USER->id, $workshop->id, $submission->id);
+                            if (!$DB->record_exists_sql($sql, $params)) {
+                                send_file_not_found();
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
         $fs = get_file_storage();
         $relativepath = implode('/', $args);
         $fullpath = "/$context->id/mod_workshop/$filearea/$itemid/$relativepath";