--- loncom/lonnet/perl/lonnet.pm	2000/09/05 13:32:31	1.29
+++ loncom/lonnet/perl/lonnet.pm	2000/09/06 14:25:17	1.30
@@ -626,6 +626,7 @@ sub allowed {
 	return 'F';
     }
 
+# The user does not have full access at system or domain level
 # Course level access control
 
 # uri itself refering to a course?
@@ -634,6 +635,7 @@ sub allowed {
        if ($ENV{'user.priv./'.$uri}=~/$priv\&([^\:]*)/) {
           $thisallowed.=$1;
        }
+# Full access on course level? Exit.
        if ($thisallowed=~/F/) {
 	  return 'F';
        }
@@ -665,9 +667,38 @@ sub allowed {
 	   /\&$urifile\:(\d+)\&/) {
 	   $uricond=$1;
        } elsif (($fe{$uritype} eq 'emb') || ($fe{$uritype} eq 'img')) {
-
+	  my $refuri=$ENV{'HTTP_REFERER'};
+          $refuri=~s/^\/res//;
+          $refuri=~s/^\///;
+          @uriparts=split(/\//,$refuri);
+          $urifile=$uriparts[$#uriparts];
+          $#uriparts--;
+          $uripath=join('/',@uriparts);
+          if ($ENV{'acc.res.'.$ENV{'request.course'}.'.'.$uripath}=~
+	     /\&$urifile\:(\d+)\&/) {
+	     $uricond=$1;
+	  }
        }
 
+       if ($uricond>=0) {
+
+# The resource is part of the course
+# If user had full access on course level, go ahead
+
+           if ($thisallowed=~/F/) {
+	       return 'F';
+           }
+
+# Restricted by state?
+
+           if ($thisallowed=~/X/) {
+	      if (&condval($uricond)>1) {
+	         return '2';
+              } else {
+                 return '';
+              }
+	   }
+       }
     }
     return $thisallowed;
 }