--- loncom/interface/lonsource.pm	2020/02/03 19:02:18	1.39
+++ loncom/interface/lonsource.pm	2020/02/17 23:04:18	1.40
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Source Code handler
 #
-# $Id: lonsource.pm,v 1.39 2020/02/03 19:02:18 raeburn Exp $
+# $Id: lonsource.pm,v 1.40 2020/02/17 23:04:18 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -354,14 +354,14 @@ sub handler {
 
     if ($viewonly) {
         my $canview;
-        $filename =~ s/\.\.//g;
-        $filename =~ s/\~//g;
-        $filename =~ s/\/+/\//g;
-        if (($env{'request.course.id'}) && (&Apache::lonnet::is_on_map($filename))) {
-            if ((&Apache::lonnet::metadata(&Apache::lonenc::check_decrypt($filename),'sourceavail') eq 'open') &&
-                (&Apache::lonnet::allowed('cre','/'))) {
-                $canview = 1;
-            } elsif (&Apache::lonnet::allowed('vxc',$env{'request.course.id'})) {
+        if ((&Apache::lonnet::metadata($filename,'sourceavail') eq 'open') &&
+            (&Apache::lonnet::allowed('cre','/'))) {
+            $canview = 1;
+        } elsif (($env{'request.course.id'}) && (&Apache::lonnet::is_on_map($filename))) {
+            my $crs_sec = $env{'request.course.id'} . (($env{'request.course.sec'} ne '')
+                                                      ? "/$env{'request.course.sec'}"
+                                                      : '');
+            if (&Apache::lonnet::allowed('vxc',$crs_sec)) {
                 my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
                 &Apache::lonenc::check_decrypt(\$filename);
                 if (($env{'request.role.domain'} eq $cdom) && ($filename =~ /$LONCAPA::assess_re/)) {
@@ -371,7 +371,7 @@ sub handler {
                         $canview = 1;
                     } elsif ((&Apache::lonnet::metadata($filename,'sourceavail') eq 'open') &&
                              ($filename =~ m{^\Q/res/$cdom/}) &&
-                             (&Apache::lonnet::allowed('bre','/'))) {
+                             (&Apache::lonnet::allowed('bre',$crs_sec))) {
                         $canview = 1;
                     }
                 }
@@ -389,11 +389,9 @@ sub handler {
         $env{'user.error.msg'}="$shownfilename:bre:1:1:Access to resource denied";
         return HTTP_NOT_ACCEPTABLE;
     }
-    unless ($viewonly) {
-        unless (&Apache::lonnet::allowed('cre','/')) {
-            $env{'user.error.msg'}="$shownfilename:cre:1:1:Access to source code denied";
-            return HTTP_NOT_ACCEPTABLE;
-        }
+    unless (($viewonly) || (&Apache::lonnet::allowed('cre','/'))) {
+        $env{'user.error.msg'}="$shownfilename:cre:1:1:Access to source code denied";
+        return HTTP_NOT_ACCEPTABLE;
     }
     my $newpath = $env{'form.newpath'};