Add "block_my_files_access" config see BT#15586

Block anon users in the upload / my_files folder

.htaccess

@@ -75,6 +75,9 @@ RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]
 # http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe
 RewriteRule ^([^/.]+)/?$ user.php?$1 [L]
 
+# Deny direct access to user my files
+RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]
+
 # Deny access
 RewriteRule ^(tests|.git) - [F,L,NC]
 

main/install/configuration.dist.php

@@ -1205,6 +1205,9 @@ $_configuration['required_extra_fields_in_profile'] = [
 // See api.lib.php in order to find the options: examples SCORE_DIV = 1, SCORE_PERCENT = 2, etc
 //$_configuration['gradebook_report_score_style'] = 1; //  Means the score will be (X / Y) "SCORE_DIV"
 
+// Blocks "my files" access to anon users
+//$_configuration['block_my_files_access'] = false;
+
 // KEEP THIS AT THE END
 // -------- Custom DB changes
 // Add user activation by confirmation email

main/social/download_my_files.php

@@ -0,0 +1,30 @@
+<?php
+/* For licensing terms, see /license.txt */
+
+require_once __DIR__.'/../inc/global.inc.php';
+
+$userId = isset($_GET['user_id']) ? (int) $_GET['user_id'] : 0;
+$file = isset($_GET['file']) ? $_GET['file'] : '';
+
+if (empty($userId) || empty($file)) {
+    exit;
+}
+
+$dir = UserManager::getUserPathById($userId, 'system');
+if (empty($dir)) {
+    exit;
+}
+$file = $dir.'/my_files/'.$file;
+
+$config = api_get_configuration_value('block_my_files_access');
+
+if ($config) {
+    api_block_anonymous_users();
+}
+
+if (Security::check_abs_path($file, $dir.'my_files/')) {
+    $result = DocumentManager::file_send_for_download($file);
+    if ($result === false) {
+        exit;
+    }
+}