From 307d7703a7fa37c9951919f6ddbe982f4d08b9b7 Mon Sep 17 00:00:00 2001
From: Andrea Adamczyk <andrea.adamczyk@processmaker.com>
Date: Tue, 12 Jan 2021 15:56:01 -0400
Subject: [PATCH] PMCORE-2683

---
 workflow/engine/methods/cases/cases_ShowDocument.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workflow/engine/methods/cases/cases_ShowDocument.php b/workflow/engine/methods/cases/cases_ShowDocument.php
index c5a544c23..dca1d7de2 100644
--- a/workflow/engine/methods/cases/cases_ShowDocument.php
+++ b/workflow/engine/methods/cases/cases_ShowDocument.php
@@ -51,7 +51,7 @@ if (!empty($_SESSION['GUEST_USER']) && $_SESSION['GUEST_USER'] === RBAC::GUEST_U
 }
 $access = $RBAC->userCanAccess('PM_FOLDERS_ALL') != 1 && defined('DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION') && DISABLE_DOWNLOAD_DOCUMENTS_SESSION_VALIDATION == 0;
 if ($access && $isGuestUser === false) {
-    if (isset($_SESSION['USER_LOGGED']) && !$oAppDocument->canDownloadInput($_SESSION['USER_LOGGED'], $_GET['a'], $docVersion)) {
+    if ((isset($_SESSION['USER_LOGGED']) && !$oAppDocument->canDownloadInput($_SESSION['USER_LOGGED'], $_GET['a'], $docVersion)) || !isset($_SESSION['USER_LOGGED'])) {
         G::header('Location: /errors/error403.php?url=' . urlencode($_SERVER['REQUEST_URI']));
         die();
     }