From 0c1c29db18856a6f25e21d0405dda2c20b35ff3a Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Thu, 20 Apr 2023 18:58:07 -0500
Subject: [PATCH] Work: Fix access to download files

---
 main/work/work.lib.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/main/work/work.lib.php b/main/work/work.lib.php
index 409e644b85..4464ad13ef 100755
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@@ -5970,7 +5970,13 @@ function getWorkUserListData(
  */
 function downloadFile($id, $course_info, $isCorrection)
 {
-    return getFile($id, $course_info, true, $isCorrection, true);
+    return getFile(
+        $id,
+        $course_info,
+        true,
+        $isCorrection,
+        api_is_course_admin() || api_is_coach()
+    );
 }
 
 /**
@@ -6055,7 +6061,7 @@ function getFileContents($id, $courseInfo, $sessionId = 0, $correction = false,
                 $forceAccessForCourseAdmins
             );
 
-            if (empty($isAllow)) {
+            if (!$isAllow) {
                 return false;
             }
 
@@ -6093,9 +6099,9 @@ function getFileContents($id, $courseInfo, $sessionId = 0, $correction = false,
             $is_editor = api_is_allowed_to_edit(true, true, true);
             $student_is_owner_of_work = user_is_author($row['id'], api_get_user_id());
 
-            if (($forceAccessForCourseAdmins && $isAllow) ||
-                $is_editor ||
+            if ($is_editor ||
                 $student_is_owner_of_work ||
+                ($forceAccessForCourseAdmins && $isAllow) ||
                 ($doc_visible_for_all && $work_is_visible)
             ) {
                 $title = $row['title'];