From ecd900c5bb445db363ed8dff1c73bcba29de2067 Mon Sep 17 00:00:00 2001
From: Tim Hunt <T.J.Hunt@open.ac.uk>
Date: Thu, 1 Aug 2024 20:07:54 +0100
Subject: [PATCH] Improve mod_studentquiz_question_pluginfile #812358

---
 lib.php | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/lib.php b/lib.php
index af1b66c6..c0bac58d 100755
--- a/lib.php
+++ b/lib.php
@@ -476,7 +476,7 @@ function studentquiz_pluginfile($course, $cm, $context, $filearea, array $args,
         send_file_not_found();
     }
 
-    require_login($course, false, $cm);
+    require_login($course, false, $cm, false, true);
 
     send_file_not_found();
 }
@@ -532,7 +532,7 @@ function studentquiz_extend_settings_navigation(settings_navigation $settingsnav
  * @package  mod_studentquiz
  * @category files
  * @param stdClass $course course settings object
- * @param stdClass $context context object
+ * @param context  $context context object
  * @param string   $component the name of the component we are serving files for.
  * @param string   $filearea the name of the file area.
  * @param int      $qubaid the attempt usage id.
@@ -544,6 +544,30 @@ function studentquiz_extend_settings_navigation(settings_navigation $settingsnav
  */
 function mod_studentquiz_question_pluginfile($course, $context, $component,
                                             $filearea, $qubaid, $slot, $args, $forcedownload, array $options = array()) {
+    global $CFG, $DB, $USER;
+
+    if ($context->contextlevel != CONTEXT_MODULE) {
+        send_file_not_found();
+    }
+
+    [$course, $cm] = get_course_and_cm_from_cmid($context->instanceid, 'studentquiz');
+    require_login($course, false, $cm, false, true);
+
+    require_once($CFG->libdir . '/questionlib.php');
+    $quba = question_engine::load_questions_usage_by_activity($qubaid);
+    if ($quba->get_owning_context()->id != $context->id) {
+        send_file_not_found();
+    }
+
+    $attempt = $DB->get_record('studentquiz_attempt', ['questionusageid' => $quba->get_id()], '*', MUST_EXIST);
+    if ($attempt->userid != $USER->id) {
+        send_file_not_found();
+    }
+
+    if (!$quba->check_file_access($slot, new question_display_options(),
+            $component, $filearea, $args, $forcedownload)) {
+        send_file_not_found();
+    }
 
     $fs = get_file_storage();
     $relativepath = implode('/', $args);