From db536edde39cce40ef783a91e37c4db43e598551 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Wed, 1 Apr 2015 17:23:23 -0500
Subject: [PATCH 1/3] Allow hide the certificate export link to students - refs
 BT#9237

---
 certificates/index.php                   | 7 +++++++
 main/gradebook/lib/be/category.class.php | 8 ++++++++
 main/install/configuration.dist.php      | 3 ++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/certificates/index.php b/certificates/index.php
index 5619454eb6..d33b879a46 100755
--- a/certificates/index.php
+++ b/certificates/index.php
@@ -20,6 +20,13 @@ $certificate = new Certificate($_GET['id']);
 
 switch ($action) {
     case 'export':
+        if (
+            api_is_student() &&
+            api_get_configuration_value('hide_certificate_export_link_students')
+        ) {
+            api_not_allowed(true);
+        }
+
         $certificate->generate(array('hide_print_button' => true));
 
         if ($certificate->html_file_is_generated()) {
diff --git a/main/gradebook/lib/be/category.class.php b/main/gradebook/lib/be/category.class.php
index 34aa635c7d..cb58fd91c4 100755
--- a/main/gradebook/lib/be/category.class.php
+++ b/main/gradebook/lib/be/category.class.php
@@ -1683,6 +1683,14 @@ class Category implements GradebookItem
                         ),
                         "$url&action=export"
                     );
+
+                    if (
+                        api_is_student() &&
+                        api_get_configuration_value('hide_certificate_export_link_students')
+                    ) {
+                        $exportToPDF = null;
+                    }
+
                     $html = array(
                         'certificate_link' => $certificates,
                         'pdf_link' => $exportToPDF
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index 000a7bd157..b942a3083e 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -301,4 +301,5 @@ $_configuration['system_stable']     = NEW_VERSION_STABLE;
 //$_configuration['limit_session_admin_role'] = false;
 // Show session description
 //$_configuration['show_session_description'] = false;
-
+// Hide only for students the link to export certificates to PDF 
+//$_configuration['hide_certificate_export_link_students'] = false;

From 6455684115e45e9c1124d4daa22eb7dad8840223 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 3 Apr 2015 08:54:16 +0200
Subject: [PATCH 2/3] DRH can access the announcement tool

If setting is on "drh_can_access_all_session_content". See BT#9609
---
 main/announcements/announcements.php | 107 +++++++++++++--------------
 1 file changed, 52 insertions(+), 55 deletions(-)

diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php
index 883e5cdf98..7d9598feda 100755
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@@ -29,10 +29,21 @@ $this_section=SECTION_COURSES;
 $nameTools = get_lang('ToolAnnouncement');
 
 //session
-if(isset($_GET['id_session'])) {
+if (isset($_GET['id_session'])) {
     $_SESSION['id_session'] = intval($_GET['id_session']);
 }
 
+$allowToEdit = (
+    api_is_allowed_to_edit(false, true) ||
+    (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())
+);
+
+$sessionId = api_get_session_id();
+$drhHasAccessToSessionContent = api_get_configuration_value('drh_can_access_all_session_content');
+if (!empty($sessionId) && $drhHasAccessToSessionContent) {
+    $allowToEdit = $allowToEdit || api_is_drh();
+}
+
 /* ACCESS RIGHTS */
 api_protect_course_script(true);
 
@@ -48,10 +59,10 @@ $maximum 	= '12';
 $length 	= '36';
 
 // Database Table Definitions
-$tbl_courses			= Database::get_main_table(TABLE_MAIN_COURSE);
-$tbl_sessions			= Database::get_main_table(TABLE_MAIN_SESSION);
-$tbl_announcement		= Database::get_course_table(TABLE_ANNOUNCEMENT);
-$tbl_item_property  	= Database::get_course_table(TABLE_ITEM_PROPERTY);
+$tbl_courses = Database::get_main_table(TABLE_MAIN_COURSE);
+$tbl_sessions = Database::get_main_table(TABLE_MAIN_SESSION);
+$tbl_announcement = Database::get_course_table(TABLE_ANNOUNCEMENT);
+$tbl_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
 
 /*	Libraries	*/
 
@@ -76,7 +87,7 @@ $safe_newContent = isset($_POST['newContent']) ? $_POST['newContent'] : null;
 $content_to_modify = $title_to_modify 	= '';
 
 if (!empty($_POST['To'])) {
-    if (api_get_session_id()!=0 &&
+    if (api_get_session_id() != 0 &&
         api_is_allowed_to_session_edit(false, true) == false
     ) {
         api_not_allowed(true);
@@ -181,14 +192,12 @@ if (!empty($group_id)) {
 $announcement_id = isset($_GET['id']) ? intval($_GET['id']) : null;
 $message = null;
 
-if (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath') {
+if (empty($_GET['origin']) || $_GET['origin'] !== 'learnpath') {
     //we are not in the learning path
-    Display::display_header($nameTools,get_lang('Announcements'));
+    Display::display_header($nameTools, get_lang('Announcements'));
 }
 
-if (api_is_allowed_to_edit(false,true) OR
-    (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())
-) {
+if ($allowToEdit) {
     /*
         Change visibility of announcement
     */
@@ -230,7 +239,7 @@ if (api_is_allowed_to_edit(false,true) OR
         }
     }
 
-    //delete attachment file
+    // Delete attachment file
     if (isset($_GET['action']) && $_GET['action'] == 'delete_attachment') {
         $id = $_GET['id_attach'];
         if ($ctok == $_GET['sec_token']) {
@@ -415,7 +424,6 @@ if (api_is_allowed_to_edit(false,true) OR
                 if ($_POST['email_ann'] && empty($_POST['onlyThoseMails'])) {
                     AnnouncementManager::send_email($insert_id, $sendToUsersInSession);
                 }
-
             } // end condition token
         }	// isset
 
@@ -446,10 +454,9 @@ if (empty($_GET['origin']) || $_GET['origin'] !== 'learnpath') {
 $session_id = api_get_session_id();
 $condition_session = api_get_session_condition($session_id, true, true);
 
-if (api_is_allowed_to_edit(false,true))  {
+if ($allowToEdit)  {
     // check teacher status
     if (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath') {
-
         if (api_get_group_id() == 0) {
             $group_condition = "";
         } else {
@@ -471,7 +478,7 @@ if (api_is_allowed_to_edit(false,true))  {
 } else {
     // students only get to see the visible announcements
     if (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath') {
-        $group_memberships=GroupManager::get_group_ids($_course['real_id'], $_user['user_id']);
+        $group_memberships = GroupManager::get_group_ids($_course['real_id'], $_user['user_id']);
 
         if ((api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
 
@@ -565,7 +572,7 @@ $announcement_number = Database::num_rows($result);
 */
 
 $show_actions = false;
-if ((api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) and (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath')) {
+if ($allowToEdit && (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath')) {
     echo '<div class="actions">';
     if (isset($_GET['action']) && in_array($_GET['action'], array('add', 'modify','view'))) {
         echo "<a href='".api_get_self()."?".api_get_cidreq()."&origin=".$origin."'>".Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM)."</a>";
@@ -576,7 +583,8 @@ if ((api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_e
 } else {
     if (in_array($_GET['action'], array('view'))) {
         echo '<div class="actions">';
-        echo "<a href='".api_get_self()."?".api_get_cidreq()."&origin=".$origin."'>".Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM)."</a>";
+        echo "<a href='".api_get_self()."?".api_get_cidreq()."&origin=".$origin."'>".
+            Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM)."</a>";
         echo '</div>';
     }
 }
@@ -595,18 +603,18 @@ if (api_is_allowed_to_edit() && $announcement_number > 1) {
 if ($show_actions)
     echo '</div>';
 
-
 //	ANNOUNCEMENTS LIST
 
 if ($message) {
     Display::display_confirmation_message($message);
     $display_announcement_list = true;
-    $display_form             = false;
+    $display_form = false;
 }
+
 if (!empty($error_message)) {
     Display::display_error_message($error_message);
     $display_announcement_list = false;
-    $display_form             = true;
+    $display_form = true;
 }
 
 /*
@@ -614,12 +622,10 @@ if (!empty($error_message)) {
 */
 
 if ($display_form) {
-
     $content_to_modify 	= stripslashes($content_to_modify);
     $title_to_modify 	= stripslashes($title_to_modify);
 
     // DISPLAY ADD ANNOUNCEMENT COMMAND
-    //echo '<form method="post" name="f1" enctype = "multipart/form-data" action="'.api_get_self().'?publish_survey='.Security::remove_XSS($surveyid).'&id='.Security::remove_XSS($_GET['id']).'&db_name='.$db_name.'&cidReq='.Security::remove_XSS($_GET['cidReq']).'" style="margin:0px;">';
     $id = isset($_GET['id']) ? intval($_GET['id']) : 0;
     echo '<form class="form-horizontal" method="post" name="f1" enctype = "multipart/form-data" action="'.api_get_self().'?id='.$id.'&'.api_get_cidreq().'" style="margin:0px;">';
     if (empty($_GET['id'])) {
@@ -635,7 +641,12 @@ if ($display_form) {
     if (empty($group_id)) {
         echo '	<div class="control-group">
 					<label class="control-label">'.
-            Display::return_icon('group.png', get_lang('ModifyRecipientList'), array ('align' => 'absmiddle'),ICON_SIZE_SMALL).' '.get_lang('SentTo').'
+                    Display::return_icon(
+                        'group.png',
+                        get_lang('ModifyRecipientList'),
+                        array('align' => 'absmiddle'),
+                        ICON_SIZE_SMALL
+                    ).' '.get_lang('SentTo').'
 					</label>
 					<div class="controls">';
 
@@ -668,8 +679,6 @@ if ($display_form) {
                 $title_to_modify = sprintf(get_lang('RemindInactiveLearnersMailSubject'), api_get_setting('siteName'));
                 $content_to_modify = get_lang('YourAccountIsActiveYouCanLoginAndCheckYourCourses');
             }
-        } else {
-            //echo '<span id="recipient_overview">' . get_lang('Everybody') . '</span>';
         }
         AnnouncementManager::show_to_form($to);
         echo '		</div>
@@ -690,8 +699,6 @@ if ($display_form) {
                             <input id="email_ann" class="checkbox" type="checkbox" value="1" name="email_ann" checked> '.get_lang('EmailOption').'</label>
                     </div>
                 </div>';
-
-
     } else {
         if (!isset($announcement_to_modify) ) {
             $announcement_to_modify ="";
@@ -738,11 +745,8 @@ if ($display_form) {
     }
 
     $oFCKeditor->Value		= $content_to_modify;
-
     echo '<div class="row"><div class="formw">';
-
     echo Display::display_normal_message(get_lang('Tags').' <br /><br />'.implode('<br />', AnnouncementManager::get_tags()), false);
-
     echo $oFCKeditor->CreateHtml();
     echo '</div></div>';
 
@@ -795,8 +799,11 @@ if ($display_form) {
 $course_id = api_get_course_int_id();
 
 //if ($display_announcement_list && !$surveyid) {
+
 if ($display_announcement_list) {
-    // by default we use the id of the current user. The course administrator can see the announcement of other users by using the user / group filter
+    // by default we use the id of the current user.
+    // The course administrator can see the announcement of other
+    // users by using the user / group filter
     //$user_id=$_user['user_id'];
     if (isset($_SESSION['user'])) {
         //$user_id=$_SESSION['user'];
@@ -807,16 +814,12 @@ if ($display_announcement_list) {
         //$group_id=$_SESSION['group'];
     }
     $group_id = api_get_group_id();
-
     $group_memberships = GroupManager::get_group_ids($course_id, api_get_user_id());
 
-    //$is_group_member = GroupManager :: is_tutor(api_get_user_id());
-
-    if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+    if ($allowToEdit) {
         // A.1. you are a course admin with a USER filter
         // => see only the messages of this specific user + the messages of the group (s)he is member of.
         if (!empty($_SESSION['user'])) {
-
             if (is_array($group_memberships) && count($group_memberships) > 0 ) {
                 $sql = "SELECT announcement.*, ip.visibility, ip.to_group_id, ip.insert_user_id, ip.insert_date
 					FROM $tbl_announcement announcement, $tbl_item_property ip
@@ -857,7 +860,6 @@ if ($display_announcement_list) {
 				GROUP BY ip.ref
 				ORDER BY display_order DESC";
         } else {
-
             // A.3 you are a course admin without any group or user filter
             // A.3.a you are a course admin without user or group filter but WITH studentview
             // => see all the messages of all the users and groups without editing possibilities
@@ -890,8 +892,7 @@ if ($display_announcement_list) {
             }
         }
     } else {
-        //STUDENT
-
+        // STUDENT
         if (is_array($group_memberships) && count($group_memberships)>0) {
             if ((api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
                 if (api_get_group_id() == 0) {
@@ -902,8 +903,6 @@ if ($display_announcement_list) {
                     $cond_user_id = " AND (ip.lastedit_user_id = '".api_get_user_id()."'
 					OR ip.to_group_id IN (0, ".api_get_group_id()."))";
                 }
-                //$cond_user_id = " AND (ip.lastedit_user_id = '".api_get_user_id()."' OR (ip.to_user_id=$user_id OR ip.to_group_id IN (0, ".implode(", ", $group_memberships).") )) ";
-
             } else {
                 if (api_get_group_id() == 0) {
                     $cond_user_id = " AND (ip.to_user_id=$user_id OR ip.to_group_id IN (0, ".implode(", ", $group_memberships).")) ";
@@ -924,7 +923,7 @@ if ($display_announcement_list) {
     				ORDER BY display_order DESC";
         } else {
             if ($_user['user_id']) {
-                if ((api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+                if ($allowToEdit) {
                     $cond_user_id = " AND (ip.lastedit_user_id = '".api_get_user_id()."' OR (ip.to_user_id='".$_user['user_id']."' OR ip.to_group_id='0')) ";
                 } else {
                     $cond_user_id = " AND (ip.to_user_id='".$_user['user_id']."' OR ip.to_group_id='0') ";
@@ -943,8 +942,7 @@ if ($display_announcement_list) {
     						AND announcement.session_id IN(0,".api_get_session_id().")
 						ORDER BY display_order DESC";
             } else {
-
-                if ((api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+                if ($allowToEdit) {
                     $cond_user_id = " AND (ip.lastedit_user_id = '".api_get_user_id()."' OR ip.to_group_id='0' ) ";
                 } else {
                     $cond_user_id = " AND ip.to_group_id='0' ";
@@ -965,14 +963,14 @@ if ($display_announcement_list) {
         }
     }
 
-    $result		= Database::query($sql);
-    $num_rows 	= Database::num_rows($result);
+    $result = Database::query($sql);
+    $num_rows = Database::num_rows($result);
 
     // DISPLAY: NO ITEMS
 
     if (!isset($_GET['action']) || !in_array($_GET['action'], array('add', 'modify','view')))
         if ($num_rows == 0) {
-            if ((api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) and (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath')) {
+            if ($allowToEdit && (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath')) {
                 echo '<div id="no-data-view">';
                 echo '<h2>'.get_lang('Announcements').'</h2>';
                 echo Display::return_icon('valves.png', '', array(), 64);
@@ -981,7 +979,6 @@ if ($display_announcement_list) {
                 echo '</div>';
                 echo '</div>';
             } else {
-                //echo "<a href='".api_get_self()."?".api_get_cidreq()."&action=add&origin=".(empty($_GET['origin'])?'':$_GET['origin'])."'>".Display::return_icon('new_announce.png',get_lang('AddAnnouncement'),'',ICON_SIZE_MEDIUM)."</a>";
                 Display::display_warning_message(get_lang('NoAnnouncements'));
             }
 
@@ -993,8 +990,10 @@ if ($display_announcement_list) {
             $ths = Display::tag('th', get_lang('Title'));
             $ths .= Display::tag('th', get_lang('By') );
             $ths .= Display::tag('th', get_lang('LastUpdateDate') );
-            if (api_is_allowed_to_edit(false,true) OR (api_is_course_coach() && api_is_element_in_the_session(TOOL_ANNOUNCEMENT,$myrow['id']))
-                OR (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+            if ($allowToEdit ||
+                (api_is_course_coach() && api_is_element_in_the_session(TOOL_ANNOUNCEMENT,$myrow['id'])) ||
+                (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())
+            ) {
                 $ths .= Display::tag('th', get_lang('Modify'));
             }
 
@@ -1047,8 +1046,7 @@ if ($display_announcement_list) {
 
                     // we can edit if : we are the teacher OR the element belongs to the session we are coaching OR the option to allow users to edit is on
                     $modify_icons = '';
-                    if (api_is_allowed_to_edit(false,true) OR (api_is_course_coach() && api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $myrow['id']))
-                        OR (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+                    if ($allowToEdit || (api_is_course_coach() && api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $myrow['id']))) {
 
                         $modify_icons = "<a href=\"".api_get_self()."?".api_get_cidreq()."&action=modify&id=".$myrow['id']."\">".Display::return_icon('edit.png', get_lang('Edit'),'',ICON_SIZE_SMALL)."</a>";
                         if ($myrow['visibility']==1) {
@@ -1072,7 +1070,7 @@ if ($display_announcement_list) {
                         } else {
                             $modify_icons .= Display::return_icon('down_na.gif', get_lang('Down'));
                         }
-                        if (api_is_allowed_to_edit(false,true)) {
+                        if ($allowToEdit) {
                             $modify_icons .= "<a href=\"".api_get_self()."?".api_get_cidreq()."&action=delete&id=".$myrow['id']."&sec_token=".$stok."\" onclick=\"javascript:if(!confirm('".addslashes(api_htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."')) return false;\">".
                                 Display::return_icon('delete.png', get_lang('Delete'),'',ICON_SIZE_SMALL).
                                 "</a>";
@@ -1088,7 +1086,6 @@ if ($display_announcement_list) {
         }
 }	// end: if ($displayAnnoucementList)
 
-
 if (isset($_GET['action']) && $_GET['action'] == 'view') {
     AnnouncementManager::display_announcement($announcement_id);
 }

From acd19ea3615c20a00b9bbd6a421b54e48ecfae38 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 3 Apr 2015 09:10:31 +0200
Subject: [PATCH 3/3] Fix permissions for DRH see BT#9609

---
 main/announcements/announcements.inc.php |  7 +++----
 main/announcements/announcements.php     | 24 ++++++++----------------
 2 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/main/announcements/announcements.inc.php b/main/announcements/announcements.inc.php
index d20f58851e..bdd0ab91f8 100755
--- a/main/announcements/announcements.inc.php
+++ b/main/announcements/announcements.inc.php
@@ -152,7 +152,7 @@ class AnnouncementManager
      * Displays one specific announcement
      * @param int $announcement_id, the id of the announcement you want to display
      */
-    public static function display_announcement($announcement_id)
+    public static function display_announcement($announcement_id, $allowToEdit)
     {
         if ($announcement_id != strval(intval($announcement_id))) {
             return false;
@@ -164,7 +164,7 @@ class AnnouncementManager
 
         $course_id = api_get_course_int_id();
 
-        if (api_is_allowed_to_edit(false, true) || (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+        if ($allowToEdit) {
             $sql_query = "  SELECT announcement.*, toolitemproperties.*
                             FROM $tbl_announcement announcement, $tbl_item_property toolitemproperties
                             WHERE announcement.id = toolitemproperties.ref
@@ -174,7 +174,6 @@ class AnnouncementManager
 							toolitemproperties.c_id = $course_id
                             ORDER BY display_order DESC";
         } else {
-
             $group_list = GroupManager::get_group_ids($course_id, api_get_user_id());
             if (empty($group_list)) {
                 $group_list[] = 0;
@@ -212,7 +211,7 @@ class AnnouncementManager
             echo "<table height=\"100\" width=\"100%\" cellpadding=\"5\" cellspacing=\"0\" class=\"data_table\">";
             echo "<tr><td><h2>" . $title . "</h2></td></tr>";
 
-            if (api_is_allowed_to_edit(false, true) || (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
+            if ($allowToEdit) {
                 $modify_icons = "<a href=\"" . api_get_self() . "?" . api_get_cidreq() . "&action=modify&id=" . $announcement_id . "\">" . Display::return_icon('edit.png', get_lang('Edit'), '', ICON_SIZE_SMALL) . "</a>";
                 if ($result['visibility'] == 1) {
                     $image_visibility = "visible";
diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php
index 7d9598feda..b1ef9fefa3 100755
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@@ -40,6 +40,11 @@ $allowToEdit = (
 
 $sessionId = api_get_session_id();
 $drhHasAccessToSessionContent = api_get_configuration_value('drh_can_access_all_session_content');
+
+if (!empty($sessionId)) {
+    $allowToEdit = $allowToEdit && api_is_allowed_to_session_edit(false, true);
+}
+
 if (!empty($sessionId) && $drhHasAccessToSessionContent) {
     $allowToEdit = $allowToEdit || api_is_drh();
 }
@@ -87,9 +92,7 @@ $safe_newContent = isset($_POST['newContent']) ? $_POST['newContent'] : null;
 $content_to_modify = $title_to_modify 	= '';
 
 if (!empty($_POST['To'])) {
-    if (api_get_session_id() != 0 &&
-        api_is_allowed_to_session_edit(false, true) == false
-    ) {
+    if (!$allowToEdit) {
         api_not_allowed(true);
     }
     $display_form = true;
@@ -132,7 +135,7 @@ $origin = isset($_GET['origin']) ? Security::remove_XSS($_GET['origin']) : null;
 if (((!empty($_GET['action']) && $_GET['action'] == 'add') && $_GET['origin'] == "") ||
     (!empty($_GET['action']) && $_GET['action'] == 'edit') || !empty($_POST['To'])
 ) {
-    if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true) == false) {
+    if (api_get_session_id() != 0 && !$allowToEdit) {
         api_not_allowed(true);
     }
     $display_form = true;
@@ -206,9 +209,6 @@ if ($allowToEdit) {
     // change visibility -> studentview -> course manager view
     if (!isset($_GET['isStudentView']) || $_GET['isStudentView']!='false') {
         if (isset($_GET['id']) AND $_GET['id'] AND isset($_GET['action']) AND $_GET['action']=="showhide") {
-            if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) {
-                api_not_allowed();
-            }
             if (!api_is_course_coach() || api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $_GET['id'])) {
                 if ($ctok == $_GET['sec_token']) {
                     AnnouncementManager::change_visibility_announcement($_course, $_GET['id']);
@@ -221,9 +221,6 @@ if ($allowToEdit) {
     /* Delete announcement */
     if (!empty($_GET['action']) && $_GET['action']=='delete' && isset($_GET['id'])) {
         $id = intval($_GET['id']);
-        if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false, true) == false) {
-            api_not_allowed();
-        }
 
         if (!api_is_course_coach() || api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $id)) {
             // tooledit : visibility = 2 : only visible for platform administrator
@@ -262,10 +259,6 @@ if ($allowToEdit) {
 
     /* Modify announcement */
     if (!empty($_GET['action']) and $_GET['action']=='modify' AND isset($_GET['id'])) {
-        if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) {
-            api_not_allowed();
-        }
-
         $display_form = true;
 
         // RETRIEVE THE CONTENT OF THE ANNOUNCEMENT TO MODIFY
@@ -981,7 +974,6 @@ if ($display_announcement_list) {
             } else {
                 Display::display_warning_message(get_lang('NoAnnouncements'));
             }
-
         } else {
             $iterator = 1;
             $bottomAnnouncement = $announcement_number;
@@ -1087,7 +1079,7 @@ if ($display_announcement_list) {
 }	// end: if ($displayAnnoucementList)
 
 if (isset($_GET['action']) && $_GET['action'] == 'view') {
-    AnnouncementManager::display_announcement($announcement_id);
+    AnnouncementManager::display_announcement($announcement_id, $allowToEdit);
 }
 
 /*		FOOTER		*/