This is my first post so let me just say hi. I'm a developer for the Open University, which will shortly be using Moodle. Currently, we are working to build in features so that Moodle can take over course websites from our previous system. In the process we're having to make various changes, some of which affect Moodle core. Where these are generally beneficial, we'd like to contribute them to the community if desired. This post is about one such thing.
Basically the way file download HTTP requests work (as of the version I have) is a bit limited. File requests go through moodle/files.php which then applies security checks and sends the file. This means that if a module needs to add or reduce security checks for a specific class of file, it has to edit files.php. For example, I have a module that, once you've uploaded files to one course, it's possible to share them to other (specific) courses without duplicating the physical file. But this doesn't work without modifying files.php because if a user on course 4 requests the file /3/moddata/mymodule/whatever.dat they won't be allowed. (This is just an example, I also want to restrict people from downloading it in specific cases.)
Rather than modifying files.php every time there's a situation like this, or every time I change the module's logic for whether you are allowed to download the file or not, I decided to modify it once My solution does the following:
- For file requests of pattern /courseid/!via/modulename/..., ask module which file to actually send. (The exclamation character was added because it's legal in URLs and unlikely to be used at the beginning of a genuine existing foldername. I commonly use it to indicate a 'system' magic name.)
- For file requests of pattern /courseid/moddata/modulename/... (existing standard module data folder), check whether module uses this new mechanism. If it does, deny the request (otherwise handle as before).
- All other requests handled as before.
modulename_process_file_request takes as parameters the course ID and the rest of the path components (listed as ... above). It returns a path to the real file (most likely to something in that moddata folder, but could be anywhere) or FALSE if the given arguments don't match a file that the user is allowed to have.
Does that sound sensible and useful? (It works for me
If so, I will port the changes (a few lines to files.php and two new functions to filelib.php) into the current moodle HEAD code [we are working on an older version due to various stupid code infrastructure problems], and work up an appropriate patch.
(BTW I also made some other minor changes to filelib.php, basically just allowing reverse lookup of mimeinfo via mime type as well as extension. Those aren't really a big deal though.)