Comment 1 for bug 1262040

Also, while implementing fixes to Bug 1211758 and Bug 1236636 (where we weren't validating artefact ownership before putting artefacts into blocks), we universally used $USER->can_edit_artefact() to check whether a user had the right to put an artefact into a block. We *should* have been using $USER->can_view_artefact() or $USER->can_publish_artefact() in nearly every one of these cases.

In fact, this has caused a notable regression. Currently, if I set a file to "view" permission only, then as a group member I see the file in the file picker, but receive an error when I try to select it.

This will also be tricky to implement, because knowing whether you need to use $USER->can_view_artefact() or $USER->can_publish_artefact() is dependent upon whether the Page is your own or a Group's.