From ce472d7ba2e4ef641b2014ef07d147dc4a0ce17c Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Thu, 26 Apr 2018 11:51:28 +0200
Subject: [PATCH] Check if download is available for user - Fix behat test

---
 main/work/view.php                    | 23 +++++++++------
 main/work/work.lib.php                | 41 ++++++++++++++++-----------
 tests/behat/features/toolWork.feature |  2 +-
 3 files changed, 39 insertions(+), 27 deletions(-)

diff --git a/main/work/view.php b/main/work/view.php
index 4541ae00f8..8dea4ad88b 100755
--- a/main/work/view.php
+++ b/main/work/view.php
@@ -177,15 +177,20 @@ if ((user_is_author($id) || $isDrhOfCourse || (api_is_allowed_to_edit() || api_i
                     ),
                     api_get_path(WEB_CODE_PATH).'work/work.php?'.api_get_cidreq()
                 );
-                $actions .= Display::url(
-                    Display::return_icon(
-                        'save.png',
-                        get_lang('Download'),
-                        null,
-                        ICON_SIZE_MEDIUM
-                    ),
-                    $work['download_url']
-                );
+
+                // Check if file can be downloaded
+                $file = getFileContents($work['id'], $courseInfo, api_get_session_id(), false);
+                if (!empty($file)) {
+                    $actions .= Display::url(
+                        Display::return_icon(
+                            'save.png',
+                            get_lang('Download'),
+                            null,
+                            ICON_SIZE_MEDIUM
+                        ),
+                        $work['download_url']
+                    );
+                }
             }
         }
 
diff --git a/main/work/work.lib.php b/main/work/work.lib.php
index 27ae9da3e0..99037e08ec 100755
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@@ -2892,9 +2892,7 @@ function allowOnlySubscribedUser($userId, $workId, $courseId)
         return true;
     }
 
-    if (userIsSubscribedToWork($userId, $workId, $courseId) == false) {
-        api_not_allowed(true);
-    }
+    return userIsSubscribedToWork($userId, $workId, $courseId);
 }
 
 /**
@@ -5120,16 +5118,16 @@ function getFile($id, $course_info, $download = true, $isCorrection = false)
  * Get the file contents for an assigment.
  *
  * @param int   $id
- * @param array $course_info
- * @param int Session ID
- * @param $correction
+ * @param array $courseInfo
+ * @param int   $sessionId
+ * @param bool  $correction
  *
  * @return array|bool
  */
-function getFileContents($id, $course_info, $sessionId = 0, $correction = false)
+function getFileContents($id, $courseInfo, $sessionId = 0, $correction = false)
 {
-    $id = intval($id);
-    if (empty($course_info) || empty($id)) {
+    $id = (int) $id;
+    if (empty($courseInfo) || empty($id)) {
         return false;
     }
     if (empty($sessionId)) {
@@ -5137,10 +5135,11 @@ function getFileContents($id, $course_info, $sessionId = 0, $correction = false)
     }
 
     $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
-    if (!empty($course_info['real_id'])) {
-        $sql = 'SELECT *
-                FROM '.$table.'
-                WHERE c_id = '.$course_info['real_id'].' AND id = "'.$id.'"';
+    if (!empty($courseInfo['real_id'])) {
+        $sql = "SELECT *
+                FROM $table
+                WHERE c_id = ".$courseInfo['real_id']." AND id = $id";
+        
         $result = Database::query($sql);
         if ($result && Database::num_rows($result)) {
             $row = Database::fetch_array($result, 'ASSOC');
@@ -5166,12 +5165,16 @@ function getFileContents($id, $course_info, $sessionId = 0, $correction = false)
                 return false;
             }
 
-            allowOnlySubscribedUser(
+            $isAllow = allowOnlySubscribedUser(
                 api_get_user_id(),
                 $row['parent_id'],
-                $course_info['real_id']
+                $courseInfo['real_id']
             );
 
+            if (empty($isAllow)) {
+                return false;
+            }
+
             /*
             field show_score in table course :
                 0 =>    New documents are visible for all users
@@ -5201,7 +5204,7 @@ function getFileContents($id, $course_info, $sessionId = 0, $correction = false)
             */
 
             $work_is_visible = $item_info['visibility'] == 1 && $row['accepted'] == 1;
-            $doc_visible_for_all = (int) $course_info['show_score'] === 0;
+            $doc_visible_for_all = (int) $courseInfo['show_score'] === 0;
 
             $is_editor = api_is_allowed_to_edit(true, true, true);
             $student_is_owner_of_work = user_is_author($row['id'], api_get_user_id());
@@ -5582,7 +5585,11 @@ function protectWork($courseInfo, $workId)
         api_not_allowed(true);
     }
 
-    allowOnlySubscribedUser($userId, $workId, $courseInfo['real_id']);
+    $isAllow = allowOnlySubscribedUser($userId, $workId, $courseInfo['real_id']);
+    if (empty($isAllow)) {
+        api_not_allowed(true);
+    }
+
     $groupInfo = GroupManager::get_group_properties($groupId);
 
     if (!empty($groupId)) {
diff --git a/tests/behat/features/toolWork.feature b/tests/behat/features/toolWork.feature
index 4055200d22..e80629892a 100644
--- a/tests/behat/features/toolWork.feature
+++ b/tests/behat/features/toolWork.feature
@@ -50,7 +50,7 @@ Feature: Work tool
     And wait for the page to be loaded
     Then I follow "Correct and rate"
     And wait for the page to be loaded
-    Then I follow "Download"
+    Then I should see "base.css"
 
 #  Scenario: Add a comment and a attachment to the work previously uploaded by student
 #    Given I am a platform administrator