From a677d1a08369caadc7997940584ee2db41b9d0f9 Mon Sep 17 00:00:00 2001
From: uhensler <urs.hensler@frentix.com>
Date: Mon, 30 Sep 2019 11:59:06 +0200
Subject: [PATCH] OO-4283: Check the whole tree structure to evaluate if the
 user has access to a folder course element

---
 .../org/olat/course/nodes/bc/BCWebService.java     | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/olat/course/nodes/bc/BCWebService.java b/src/main/java/org/olat/course/nodes/bc/BCWebService.java
index bc3f6cbde36..cfc357a2fac 100644
--- a/src/main/java/org/olat/course/nodes/bc/BCWebService.java
+++ b/src/main/java/org/olat/course/nodes/bc/BCWebService.java
@@ -396,29 +396,33 @@ public class BCWebService extends AbstractCourseNodeWebService {
 	public VFSWebservice getVFSWebService(@PathParam("courseId") Long courseId, @PathParam("nodeId") String nodeId, @Context HttpServletRequest request) {
 		ICourse course = CoursesWebService.loadCourse(courseId);
 		if(course == null) {
-			throw new WebApplicationException( Response.serverError().status(Status.NOT_FOUND).build());
+			throw new WebApplicationException(Response.serverError().status(Status.NOT_FOUND).build());
 		}
 		
 		boolean author = isAuthorEditor(course, request);
 		if (!author && !CourseWebService.isCourseAccessible(course, request)) {
-			throw new WebApplicationException( Response.serverError().status(Status.UNAUTHORIZED).build());
+			throw new WebApplicationException(Response.serverError().status(Status.UNAUTHORIZED).build());
 		}
-		
+
+		UserRequest ureq = getUserRequest(request);
 		CourseNode node;
 		if(author) {
 			node = course.getEditorTreeModel().getCourseNode(nodeId);
 		} else {
 			node = course.getRunStructure().getNode(nodeId);
+			boolean accessible = (new CourseTreeVisitor(course, ureq.getUserSession().getIdentityEnvironment())).isAccessible(node);
+			if (!accessible) {
+				throw new WebApplicationException(Response.serverError().status(Status.UNAUTHORIZED).build());
+			}
 		}
 		
 		if(node == null) {
-			throw new WebApplicationException( Response.serverError().status(Status.NOT_FOUND).build());
+			throw new WebApplicationException(Response.serverError().status(Status.NOT_FOUND).build());
 		} else if(!(node instanceof BCCourseNode)) {
 			throw new WebApplicationException(Response.serverError().status(Status.NOT_ACCEPTABLE).build());
 		}
 		
 		BCCourseNode bcNode = (BCCourseNode)node;
-		UserRequest ureq = getUserRequest(request);
 		VFSContainer container = getSecurisedNodeFolderContainer(bcNode, course.getCourseEnvironment(), ureq.getUserSession().getIdentityEnvironment());
 		return new VFSWebservice(container);
 	}
-- 
GitLab