While copying a file to your Private Files, if we hack $maxbytes in repository_ajax.php (MDL-36448), then it is possible to upload a file which is greater than $maxbytes but smaller than $CFG->userquota. And this means that any area over Moodle do not respect $CFG->maxbytes properly.

The reason is that in between defining the initial $maxbytes for the File Manager and saving the information in file_save_draft_area_files() there is no check for what should be $maxbytes according to the settings. In repository_ajax.php this check is made by using get_user_max_upload_file_size().

Please note that while fixing this, file references should not be affected by any *bytes limitations (areamaxbytes, maxbytes).

To replicate

• Apply the following to repository_ajax.php

  $maxbytes = -1; // get_user_max_upload_file_size($context, $CFG->maxbytes, $coursemaxbytes, $maxbytes);

• Set the setting maxbytes to something small
• Go to your privates files
• Visit Dropbox and upload a file greater than the maxbytes
• Validate the form

Expected

• The file disappears

Actual

• The file is uploaded and accessible in your Private Files