MDL-17027: protect user profile images if $CFG->forcelogin enabled; merged from MOODL...

diff --git a/user/pix.php b/user/pix.php
index d106c30981ccabff5dba5a0752b332ae4072a0b0..5dfd941af2a286cd4034109c6dff4826698198b9 100644 (file)
--- a/user/pix.php
+++ b/user/pix.php
@@ -3,11 +3,15 @@
       // Syntax:   pix.php/userid/f1.jpg or pix.php/userid/f2.jpg
       //     OR:   ?file=userid/f1.jpg or ?file=userid/f2.jpg
 
-    define('NO_MOODLE_COOKIES', true);                  // session not used here
-
     require_once('../config.php');
     require_once($CFG->libdir.'/filelib.php');
 
+    if (!empty($CFG->forcelogin) and !isloggedin()) {
+        // protect images if login required and not logged in;
+        // do not use require_login() because it is expensive and not suitable here anyway
+        redirect($CFG->pixpath.'/u/f1.png');
+    }
+
     // disable moodle specific debug messages
     disable_debugging();