Fixing document slideshow with the updated DocumentManager::is_visible function

main/document/document.php

@@ -106,6 +106,7 @@ if ($tool_visibility == '0' && $to_group_id == '0' && !($is_allowed_to_edit || $
     api_not_allowed(true);
 }
 
+
 $htmlHeadXtra[] =
 "<script type=\"text/javascript\">
 function confirmation (name)
@@ -215,8 +216,8 @@ if ($to_group_id != 0 && $curdirpath == '/') {
 
 // Check visibility of the current dir path. Don't show anything if not allowed
 
-if (!$is_allowed_to_edit || api_is_coach()) {
-    if (!(DocumentManager::is_visible($curdirpath, $_course, api_get_session_id()))) {
+if (!$is_allowed_to_edit || api_is_coach()) {        
+    if ($curdirpath != '/' && !(DocumentManager::is_visible($curdirpath, $_course, api_get_session_id()))) {
         api_not_allowed();
     }
 }

main/document/slideshow.php

@@ -18,19 +18,12 @@ $path = Security::remove_XSS($_GET['curdirpath']);
 $pathurl = urlencode($path);
 $slide_id = Security::remove_XSS($_GET['slide_id']);
 
-if(empty($slide_id))
-{
+if(empty($slide_id)) {
 	$edit_slide_id = 1;
-}
-else
-{
+} else {
 	$edit_slide_id = $slide_id;
 }
 
-
-
-
-
 if ($path != '/') {
 	$folder = $path.'/';
 } else {
@@ -264,6 +257,9 @@ if ($slide_id != 'all') {
 		} else {
 			echo "<a href='slideshow.php?slide_id=0&curdirpath=$pathurl'>";
 		}
+        if ($path == '/') {
+        	$path = '';
+        }
 		echo "<img src='download.php?doc_url=$path/".$image_files_only[$slide]."' alt='".$image_files_only[$slide]."' border='0'".$height_width_tags.">";
 		echo '</a>';
 		echo '</td>';

main/inc/lib/document.lib.php

@@ -1087,7 +1087,7 @@ class DocumentManager {
         }
         
         $sql  = "SELECT visibility FROM $docTable d, $propTable ip " .
-                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' $condition AND d.filetype='file' AND locate(concat(path,'/'),'".$doc_path."/')=1";
+                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' $condition AND locate(concat(path,'/'),'".$doc_path."/')=1";
         $result = Database::query($sql);
         $is_visible = false;
         if (Database::num_rows($result) > 0) {
@@ -1095,8 +1095,7 @@ class DocumentManager {
             if ($row['visibility'] == 1) {
             	$is_visible = $_SESSION ['is_allowed_in_course'] || api_is_platform_admin();
             }
-        }
-     
+        }     
         //improved protection of documents viewable directly through the url: incorporates the same protections of the course at the url of documents:	access allowed for the whole world Open, access allowed for users registered on the platform Private access, document accessible only to course members (see the Users list), Completely closed; the document is only accessible to the course admin and teaching assistants.
         //return $_SESSION ['is_allowed_in_course'] || api_is_platform_admin();
         return $is_visible;
@@ -1111,13 +1110,12 @@ class DocumentManager {
     public static function is_visible_by_id($id, $course, $session_id = 0) {
         $docTable  = Database::get_course_table(TABLE_DOCUMENT, $course['dbName']);
         $propTable = Database::get_course_table(TABLE_ITEM_PROPERTY, $course['dbName']);
-        $id = intval($id);
-
+        $id         = intval($id);
         $session_id = intval($session_id);
-        $condition = "AND id_session = $session_id";
+        $condition  = "AND id_session = $session_id";
         // The " d.filetype='file' " let the user see a file even if the folder is hidden see #2198
         $sql  = "SELECT path FROM $docTable d, $propTable ip " .
-                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND d.filetype='file'  $condition AND d.id = $id";
+                "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' $condition AND d.id = $id";
         $result = Database::query($sql);
         $is_visible = false;
         if (Database::num_rows($result) > 0) {