MDL-60680 file: Support any user id when creating tokens for files.

$includetoken parameter type has been changed. Now supports: boolean: False indicates to not include the token, true indicates to generate a token for the current user ($USER). integer: Indicates to generate a token for the user whose id is the integer value.
safatshahin · Apr 23, 2019 · 26e778d · 26e778d
1 parent 333d11c
commit 26e778d
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 7 deletions.
diff --git a/lib/filelib.php b/lib/filelib.php
@@ -470,7 +470,7 @@ function file_prepare_draft_area(&$draftitemid, $contextid, $component, $fileare
  * @param   array   $options
  *          bool    $options.forcehttps Force the user of https
  *          bool    $options.reverse Reverse the behaviour of the function
- *          bool    $options.includetoken Use a token for authentication
+ *          mixed   $options.includetoken Use a token for authentication. True for current user, int value for other user id.
  *          string  The processed text.
  */
 function file_rewrite_pluginfile_urls($text, $file, $contextid, $component, $filearea, $itemid, array $options=null) {
@@ -483,7 +483,8 @@ function file_rewrite_pluginfile_urls($text, $file, $contextid, $component, $fil
 
     $baseurl = "{$CFG->wwwroot}/{$file}";
     if (!empty($options['includetoken'])) {
-        $token = get_user_key('core_files', $USER->id);
+        $userid = $options['includetoken'] === true ? $USER->id : $options['includetoken'];
+        $token = get_user_key('core_files', $userid);
         $finalfile = basename($file);
         $tokenfile = "token{$finalfile}";
         $file = substr($file, 0, strlen($file) - strlen($finalfile)) . $tokenfile;

diff --git a/lib/outputcomponents.php b/lib/outputcomponents.php
@@ -207,7 +207,8 @@ class user_picture implements renderable {
     public $includefullname = false;
 
     /**
-     * @var bool Include user authentication token.
+     * @var mixed Include user authentication token. True indicates to generate a token for current user, and integer value
+     * indicates to generate a token for the user whose id is the value indicated.
      */
     public $includetoken = false;
 

diff --git a/lib/outputrenderers.php b/lib/outputrenderers.php
@@ -2434,7 +2434,7 @@ public function spacer(array $attributes = null, $br = false) {
      *     - class = image class attribute (default 'userpicture')
      *     - visibletoscreenreaders=true (whether to be visible to screen readers)
      *     - includefullname=false (whether to include the user's full name together with the user picture)
-     *     - includetoken = false
+     *     - includetoken = false (whether to use a token for authentication. True for current user, int value for other user id)
      * @return string HTML fragment
      */
     public function user_picture(stdClass $user, array $options = null) {

diff --git a/lib/tests/filelib_test.php b/lib/tests/filelib_test.php
@@ -1150,6 +1150,19 @@ public function test_file_rewrite_pluginfile_urls_includetoken() {
 
         // Compare the final text is the same that the original.
         $this->assertEquals($originaltext, $finaltext);
+
+        // Now indicates a user different than $USER.
+        $user = $this->getDataGenerator()->create_user();
+        $options = ['includetoken' => $user->id];
+
+        // Rewrite the content. This will generate a new token.
+        $finaltext = file_rewrite_pluginfile_urls(
+                $originaltext, 'pluginfile.php', $syscontext->id, 'user', 'private', 0, $options);
+
+        $token = get_user_key('core_files', $user->id);
+        $expectedurl = new \moodle_url("/tokenpluginfile.php/{$token}/{$syscontext->id}/user/private/0/image.png");
+        $expectedtext = "Fake test with an image <img src=\"{$expectedurl}\">";
+        $this->assertEquals($expectedtext, $finaltext);
     }
 
     /**

diff --git a/lib/tests/outputcomponents_test.php b/lib/tests/outputcomponents_test.php
@@ -113,7 +113,7 @@ public function test_fields_unaliasing_null() {
     }
 
     public function test_get_url() {
-        global $DB, $CFG;
+        global $DB, $CFG, $USER;
 
         $this->resetAfterTest();
 
@@ -219,6 +219,18 @@ public function test_get_url() {
         $up1 = new user_picture($user1);
         $this->assertSame($CFG->wwwroot.'/pluginfile.php/'.$context1->id.'/user/icon/boost/f2?rev=11', $up1->get_url($page, $renderer)->out(false));
 
+        // Uploaded image with token-based access for current user.
+        $up1 = new user_picture($user1);
+        $up1->includetoken = true;
+        $token = get_user_key('core_files', $USER->id);
+        $this->assertSame($CFG->wwwroot.'/tokenpluginfile.php/'.$token.'/'.$context1->id.'/user/icon/boost/f2?rev=11', $up1->get_url($page, $renderer)->out(false));
+
+        // Uploaded image with token-based access for other user.
+        $up1 = new user_picture($user1);
+        $up1->includetoken = $user2->id;
+        $token = get_user_key('core_files', $user2->id);
+        $this->assertSame($CFG->wwwroot.'/tokenpluginfile.php/'.$token.'/'.$context1->id.'/user/icon/boost/f2?rev=11', $up1->get_url($page, $renderer)->out(false));
+
         // Https version.
         $CFG->wwwroot = str_replace('http:', 'https:', $CFG->wwwroot);
 

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -31,6 +31,12 @@ attribute on forms to avoid collisions in forms loaded in AJAX requests.
 * It is possible to pass additional conditions to get_courses_search();
   core_course_category::search_courses() now allows to search only among courses with completion enabled.
 * Add support for a new xxx_after_require_login callback
+* `$includetoken` parameter type has been changed. Now supports:
+   boolean: False indicates to not include the token, true indicates to generate a token for the current user ($USER).
+   integer: Indicates to generate a token for the user whose id is the integer value.
+* The following functions have been updated to support the new usage:
+    - make_pluginfile_url
+    - file_rewrite_pluginfile_urls
 
 === 3.6 ===
 

diff --git a/lib/weblib.php b/lib/weblib.php
@@ -773,7 +773,9 @@ public static function make_file_url($urlbase, $path, $forcedownload = false) {
      * @param string $pathname
      * @param string $filename
      * @param bool $forcedownload
-     * @param boolean $includetoken Whether to use a user token when displaying this group image.
+     * @param mixed $includetoken Whether to use a user token when displaying this group image.
+     *                True indicates to generate a token for current user, and integer value indicates to generate a token for the
+     *                user whose id is the value indicated.
      *                If the group picture is included in an e-mail or some other location where the audience is a specific
      *                user who will not be logged in when viewing, then we use a token to authenticate the user.
      * @return moodle_url
@@ -786,7 +788,8 @@ public static function make_pluginfile_url($contextid, $component, $area, $itemi
 
         if ($includetoken) {
             $urlbase = "$CFG->wwwroot/tokenpluginfile.php";
-            $token = get_user_key('core_files', $USER->id);
+            $userid = $includetoken === true ? $USER->id : $includetoken;
+            $token = get_user_key('core_files', $userid);
             if ($CFG->slasharguments) {
                 $path[] = $token;
             }
@@ -2491,6 +2494,8 @@ function print_collapsible_region_end($return = false) {
  * @param boolean $return If false print picture, otherwise return the output as string
  * @param boolean $link Enclose image in a link to view specified course?
  * @param boolean $includetoken Whether to use a user token when displaying this group image.
+ *                True indicates to generate a token for current user, and integer value indicates to generate a token for the
+ *                user whose id is the value indicated.
  *                If the group picture is included in an e-mail or some other location where the audience is a specific
  *                user who will not be logged in when viewing, then we use a token to authenticate the user.
  * @return string|void Depending on the setting of $return
@@ -2545,6 +2550,8 @@ function print_group_picture($group, $courseid, $large = false, $return = false,
  * @param  int $courseid The course ID for the group.
  * @param  bool $large A large or small group picture? Default is small.
  * @param  boolean $includetoken Whether to use a user token when displaying this group image.
+ *                 True indicates to generate a token for current user, and integer value indicates to generate a token for the
+ *                 user whose id is the value indicated.
  *                 If the group picture is included in an e-mail or some other location where the audience is a specific
  *                 user who will not be logged in when viewing, then we use a token to authenticate the user.
  * @return moodle_url Returns the url for the group picture.