by Simon Coggins.
What's the best setting for the $forcedownload argument when calling send_stored_file() from within a module's xxx_pluginfile() call? In the Moodle code there are three different examples:
Explicitly set to false (e.g. mod/scorm/lib.php):
send_stored_file($file, $lifetime, 0, false, $options);
Explicitly set to true (e.g. mod/data/lib.php):
send_stored_file($file, 0, 0, true); // download MUST be forced - security!
Use the $forcedownload parameter passed into the *_pluginfile() call (e.g. mod/workshop/lib.php):
send_stored_file($file, 0, 0, $forcedownload, $options);
Is there a "correct" way to do this or does it depend on the source of the file being downloaded? What is the security risk mentioned in the comment for the second one?
Simon