-
Bug
-
Resolution: Deferred
-
Major
-
2.3.2
-
MOODLE_23_STABLE
-
When a block gets displayed on a given page then a lot of useful information is available in $PAGE that can be used for has_capability checks. When we are serving images or other files that belong to a given block, then the only information we have available is the pluginfile.php URL.
It seems from MDL-29762 that the pluginfile URL does not always contain all the information that is necessary to perform the correct permission checks.