From cb5e6a9a295c3b45144c5ae9bd2a5566ad423939 Mon Sep 17 00:00:00 2001
From: gnaegi <none@none>
Date: Wed, 13 Apr 2016 14:00:57 +0200
Subject: [PATCH] OO-1988 don't show course resource folders to learners

---
 src/main/java/org/olat/course/ICourse.java    |  9 +++---
 .../olat/course/MergedCourseContainer.java    | 28 ++++++++++++-------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/main/java/org/olat/course/ICourse.java b/src/main/java/org/olat/course/ICourse.java
index 5502208a498..e021043342b 100644
--- a/src/main/java/org/olat/course/ICourse.java
+++ b/src/main/java/org/olat/course/ICourse.java
@@ -85,9 +85,10 @@ public interface ICourse extends OLATResourceable {
 	public OlatRootFolderImpl getCourseBaseContainer();
 	
 	/**
-	 * Return the container to the coursefolder of this course.
-	 * (E.g. "COURSEBASEPATH/coursefolder/"). This is for administration
-	 * use. There is no permission check.
+	 * Return the container to the coursefolder of this course. (E.g.
+	 * "COURSEBASEPATH/coursefolder/"). !! This is for administration or
+	 * internal use!! There is no permission check, make sure your controller
+	 * does check if user is allowed to see stuff, e.g. shared folder
 	 * 
 	 * @return the container to the coursefolder of this course
 	 */
@@ -95,7 +96,7 @@ public interface ICourse extends OLATResourceable {
 	
 	/**
 	 * The course folder that the user specified by its identity environment
-	 * can see and use.
+	 * can see and use. Used by WebDAV access.
 	 * 
 	 * @param identityEnv
 	 * @return The aggreagted course folder
diff --git a/src/main/java/org/olat/course/MergedCourseContainer.java b/src/main/java/org/olat/course/MergedCourseContainer.java
index 878caf03a0c..428e01720d0 100644
--- a/src/main/java/org/olat/course/MergedCourseContainer.java
+++ b/src/main/java/org/olat/course/MergedCourseContainer.java
@@ -81,11 +81,12 @@ public class MergedCourseContainer extends MergeSource {
 	
 	protected void init(PersistingCourseImpl persistingCourse) {
 		super.init();
+		RepositoryEntry re = null;
 
 		if(identityEnv == null || identityEnv.getRoles().isOLATAdmin()) {
 			addContainersChildren(persistingCourse.getIsolatedCourseFolder(), true);
 		} else {
-			RepositoryEntry re = persistingCourse.getCourseEnvironment().getCourseGroupManager().getCourseEntry();
+			re = persistingCourse.getCourseEnvironment().getCourseGroupManager().getCourseEntry();
 			RepositoryEntrySecurity reSecurity = RepositoryManager.getInstance()
 					.isAllowed(identityEnv.getIdentity(), identityEnv.getRoles(), re);
 			if(reSecurity.isEntryAdmin()) {
@@ -93,18 +94,25 @@ public class MergedCourseContainer extends MergeSource {
 			}
 		}
 			
-		// grab any shared folder that is configured
+		// grab any shared folder that is configured, but only when in unchecked
+		// security mode (no identity environment) or when the user has course
+		// admin rights
 		OlatRootFolderImpl sharedFolder = null;
 		String sfSoftkey = persistingCourse.getCourseConfig().getSharedFolderSoftkey();
 		if (StringHelper.containsNonWhitespace(sfSoftkey) && !CourseConfig.VALUE_EMPTY_SHAREDFOLDER_SOFTKEY.equals(sfSoftkey)) {
-			OLATResource sharedResource = CoreSpringFactory.getImpl(RepositoryService.class)
-					.loadRepositoryEntryResourceBySoftKey(sfSoftkey);
-			if (sharedResource != null) {
-				sharedFolder = SharedFolderManager.getInstance().getSharedFolder(sharedResource);
-				if (sharedFolder != null) {
-					sharedFolder.setLocalSecurityCallback(new ReadOnlyCallback());
-					//add local course folder's children as read/write source and any sharedfolder as subfolder
-					addContainer(new NamedContainerImpl("_sharedfolder", sharedFolder));
+			if (re == null) {
+				// reuse if already loaded, else load
+				re = persistingCourse.getCourseEnvironment().getCourseGroupManager().getCourseEntry();				
+			}
+			if(identityEnv == null || identityEnv.getRoles().isOLATAdmin() || RepositoryManager.getInstance().isOwnerOfRepositoryEntry(identityEnv.getIdentity(), re)) {
+				OLATResource sharedResource = CoreSpringFactory.getImpl(RepositoryService.class).loadRepositoryEntryResourceBySoftKey(sfSoftkey);
+				if (sharedResource != null) {
+					sharedFolder = SharedFolderManager.getInstance().getSharedFolder(sharedResource);
+					if (sharedFolder != null) {
+						sharedFolder.setLocalSecurityCallback(new ReadOnlyCallback());
+						//add local course folder's children as read/write source and any sharedfolder as subfolder
+						addContainer(new NamedContainerImpl("_sharedfolder", sharedFolder));
+					}
 				}
 			}
 		}
-- 
GitLab