MDL-17065 user: profile iamges of deleted users are not accessible anymore; merged...

diff --git a/user/pix.php b/user/pix.php
index 00370135c03f5ef170a1002fd82bfedd842bf071..d106c30981ccabff5dba5a0752b332ae4072a0b0 100644 (file)
--- a/user/pix.php
+++ b/user/pix.php
@@ -17,11 +17,14 @@
 
     if (count($args) == 2) {
         $userid   = (integer)$args[0];
-        $image    = $args[1];
-        $pathname = make_user_directory($userid, true) . "/$image";
-        if (file_exists($pathname) and !is_dir($pathname)) {
-            send_file($pathname, $image);
-        } 
+        // do not serve images of deleted users
+        if ($user = $DB->get_record('user', array('id'=>$userid, 'deleted'=>0, 'picture'=>1))) {
+            $image    = $args[1];
+            $pathname = make_user_directory($userid, true) . "/$image";
+            if (file_exists($pathname) and !is_dir($pathname)) {
+                send_file($pathname, $image);
+            }
+        }
     }
 
     // picture was deleted - use default instead