diff --git a/main/document/download.php b/main/document/download.php
index 7ba93bd1e3..4f612b0bfd 100755
--- a/main/document/download.php
+++ b/main/document/download.php
@@ -75,7 +75,7 @@ $full_file_name = $sys_course_path.$_course['path'].'/document'.str_replace('+',
 
 // Check visibility of document and paths
 $is_allowed_to_edit = api_is_allowed_to_edit();
-if (!$is_allowed_to_edit && !DocumentManager::is_visible($doc_url, $_course)) {
+if (!$is_allowed_to_edit && !DocumentManager::is_visible($doc_url, $_course, api_get_session_id())) {
 	Display::display_error_message(get_lang('ProtectedDocument'));//api_not_allowed backbutton won't work.
 	exit; // You shouldn't be here anyway.
 }
diff --git a/main/document/showinframes.php b/main/document/showinframes.php
index ed1da59d60..5c6da65423 100755
--- a/main/document/showinframes.php
+++ b/main/document/showinframes.php
@@ -170,7 +170,7 @@ echo '<a href="'.$file_url_web.'" target="_blank">'.get_lang('_cut_paste_link').
 //echo '<div>';
 
 if (file_exists($file_url_sys)) {
-	echo '<iframe border="0" frameborder="0" scrolling="auto"  style="width:100%;"  id="mainFrame" name="mainFrame" src="'.$file_url_web.'?'.api_get_cidreq().'&rand='.mt_rand(1, 10000).'"></iframe>';
+	echo '<iframe border="0" frameborder="0" scrolling="auto"  style="width:100%;"  id="mainFrame" name="mainFrame" src="'.$file_url_web.'&rand='.mt_rand(1, 10000).'"></iframe>';
 } else {
 	echo '<frame name="mainFrame" id="mainFrame" src=showinframes.php?nopages=1 />';
 }
diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php
index ff13aea861..258acbfe98 100755
--- a/main/inc/lib/document.lib.php
+++ b/main/inc/lib/document.lib.php
@@ -1057,9 +1057,9 @@ class DocumentManager {
         
         $session_id = intval($session_id);
         $condition = "AND id_session = $session_id";
-        
+        // The " d.filetype='file' " let the user see a file even if the folder is hidden see #2198 
 		$sql  = "SELECT path FROM $docTable d, $propTable ip " .
-                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND locate(concat(path,'/'),'".$doc_path."/')=1";
+                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND d.filetype='file' AND locate(concat(path,'/'),'".$doc_path."/')=1";
 		$result = Database::query($sql);
 		if (Database::num_rows($result) > 0) {
 			$row = Database::fetch_array($result);
@@ -1083,9 +1083,9 @@ class DocumentManager {
         
         $session_id = intval($session_id);
         $condition = "AND id_session = $session_id";
-        
-       echo  $sql  = "SELECT path FROM $docTable d, $propTable ip " .
-                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND d.id = $id";
+        // The " d.filetype='file' " let the user see a file even if the folder is hidden see #2198        
+        $sql  = "SELECT path FROM $docTable d, $propTable ip " .
+                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND d.filetype='file'  AND visibility=0 $condition AND d.id = $id";
         $result = Database::query($sql);
         if (Database::num_rows($result) > 0) {
             $row = Database::fetch_array($result);