fix: check acl

Author: jdehaan

syntax/bpmnio.php

@@ -93,6 +93,10 @@ private function buildAttributes($string)
 
     private function getMedia($src)
     {
+        if (!auth_quickaclcheck($src) >= AUTH_READ) {
+            return "Error: Access denied for file $src";
+        }
+
         $file = mediaFN($src);
 
         if (!file_exists($file) || !is_readable($file)) {