From: toyomoyo Date: Fri, 17 Mar 2006 07:37:27 +0000 (+0000) Subject: had to change this a bit because blogs use different location to store rss, as it... X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=7fe0ce4e6a05865a88cf4dede6c6e1e34f05e0d2;p=moodle.git had to change this a bit because blogs use different location to store rss, as it is not a module, please warn if this is a security issue --- diff --git a/rss/file.php b/rss/file.php index c54957a97c..dd87ed891a 100644 --- a/rss/file.php +++ b/rss/file.php @@ -6,7 +6,7 @@ // name: the name of the module (forum...) // id: the id (instance) of the module (forumid...) //If the course has a password or it doesn't - //allow guest access then the user field is + //allow guest access then the user field is //required to see that the user is enrolled //in the course, else no check is performed. //This allows to limit a bit the rss access @@ -14,24 +14,26 @@ //obviously, but its the best I've thought!! $nomoodlecookie = true; // Because it interferes with caching - + require_once('../config.php'); require_once($CFG->libdir.'/filelib.php'); require_once($CFG->libdir.'/rsslib.php'); - $lifetime = 3600; // Seconds for files to remain in caches - 1 hour $relativepath = get_file_argument('file.php'); + if (!$relativepath) { not_found(); } // extract relative path components $args = explode('/', trim($relativepath, '/')); - - if (count($args) < 5) { + + $isblog = ($args[0] == 'blogs'); + + if (count($args) < 5 && !$isblog) { not_found(); } @@ -40,19 +42,19 @@ $modulename = clean_param($args[2], PARAM_FILE); $instance = (int)$args[3]; $filename = 'rss.xml'; - - if (!$course = get_record("course", "id", $courseid)) { + + if ((!$course = get_record("course", "id", $courseid)) && !$isblog) { not_found(); } - + //Check name of module $mods = get_list_of_plugins("mod"); - if (!in_array(strtolower($modulename), $mods)) { + if (!in_array(strtolower($modulename), $mods) && !$isblog) { not_found(); } //Get course_module to check it's visible - if (!$cm = get_coursemodule_from_instance($modulename,$instance,$courseid)) { + if (!$isblog && (!$cm = get_coursemodule_from_instance($modulename,$instance,$courseid)) ) { not_found(); } @@ -61,18 +63,21 @@ //Check for "security" if !course->guest or course->password if ($course->id != SITEID) { - if ((!$course->guest || $course->password) && (!($isstudent || $isteacher))) { + if (((!$course->guest || $course->password) && (!($isstudent || $isteacher))) && !$isblog) { not_found(); } } - //Check for "security" if the course is hidden or the activity is hidden - if ((!$course->visible || !$cm->visible) && (!$isteacher)) { + //Check for "security" if the course is hidden or the activity is hidden + if (((!$course->visible || !$cm->visible) && (!$isteacher)) && !$isblog) { not_found(); } - $pathname = $CFG->dataroot.'/rss/'.$modulename.'/'.$instance.'.xml'; - + if ($isblog) { + $pathname = $CFG->dataroot.'/rss/'.$relativepath; + } else { + $pathname = $CFG->dataroot.'/rss/'.$modulename.'/'.$instance.'.xml'; + } //Check that file exists if (!file_exists($pathname)) { not_found();