Thanks Dan, good idea.
Here is the code:
$scanurl = new moodle_url('/plagiarism/copyleaks/scan.php',
array('pathnamehash' => $file->get_pathnamehash(),
'cmid' => $cmid));
$output = html_writer::div(
array('src' => $CFG->wwwroot . '/plagiarism/copyleaks/pix/small-logo.png', 'alt' => 'Copyleaks logo')) .
, array('target' => '_blank')));
$pathnamehash = required_param('pathnamehash', PARAM_TEXT);
$fs = get_file_storage();
$file = $fs->get_file_by_hash($pathnamehash);
For broader context, The code can be found in the following 2 files:
- https://github.com/Copyleaks/moodle-plagiarism_copyleaks/blob/master/lib.php ( lines 232-242 )
- https://github.com/Copyleaks/moodle-plagiarism_copyleaks/blob/master/scan.php ( lines 60 - 61 )
So if I understand correctly, to fix this, there is a set of parameters that can point to a moodle file and are safe to pass between pages so that the file can be served and its permissions be checked?