Yes, the lack of security in Moodle's file area is a bit of a problem for all of Moodle, not just the quiz module. We have plugged that hole here in York, see http://moodle.org/mod/forum/discuss.php?d=14058#67655 and we are currently updating that to Moodle 1.5.
The resource security feature appears to be working fine via $CFG>preventaccesstohiddenfiles. This is in file.php now, but only for resources. I'm not sure why it was not implemented for quizzes also? I gather a problem would be with checking all the html in the quiz for linked images each time file.php is run?
One step in the direction of file security is our latest version of MyFiles, to be released in a week or so. All files uploaded to it are unshared by default, the user must decide to share them. When files are linked into a course by the html editor, they are set to be shared for the whole course, but the user can go back and unshare them.
So this could work for a hidden quiz, though it would be a two step process: hide the quiz and then unshare the files/ unhide the quiz and then reshare the files.
However, this does provide a mechanism for file access control, quiz module could be modified to unshare all linked files in a quiz when a quiz is hidden, and reshare them when the quiz is unhidden.
One step in the direction of file security is our latest version of MyFiles, to be released in a week or so. All files uploaded to it are unshared by default, the user must decide to share them. When files are linked into a course by the html editor, they are set to be shared for the whole course, but the user can go back and unshare them.
So this could work for a hidden quiz, though it would be a two step process: hide the quiz and then unshare the files/ unhide the quiz and then reshare the files.
However, this does provide a mechanism for file access control, quiz module could be modified to unshare all linked files in a quiz when a quiz is hidden, and reshare them when the quiz is unhidden.
It was not implemented for quizes because it would slow down the file.php, you would have to acess lots of database tables only to find out which files belong to each quiz. And if you had files shared by quiz and resource you could get quite unexpected results
The only solution I see is to separate general file area (file.php) from files used by mods (modfile.php) - it would greatly simplify access control, because each mod could decide what to do with its files.
The only solution I see is to separate general file area (file.php) from files used by mods (modfile.php) - it would greatly simplify access control, because each mod could decide what to do with its files.