diff --git a/backup/util/checks/backup_check.class.php b/backup/util/checks/backup_check.class.php
index 276482fa864..792939d831e 100644
--- a/backup/util/checks/backup_check.class.php
+++ b/backup/util/checks/backup_check.class.php
@@ -84,10 +84,100 @@ abstract class backup_check {
     }
 
     public static function check_security($backup_controller, $apply) {
+        global $DB;
+
         if (! $backup_controller instanceof backup_controller) {
             throw new backup_controller_exception('backup_check_security_requires_backup_controller');
         }
         $backup_controller->log('checking plan security', backup::LOG_INFO);
+
+        // Some handy vars
+        $type     = $backup_controller->get_type();
+        $mode     = $backup_controller->get_mode();
+        $courseid = $backup_controller->get_courseid();
+        $coursectx= get_context_instance(CONTEXT_COURSE, $courseid);
+        $userid   = $backup_controller->get_userid();
+        $id       = $backup_controller->get_id(); // courseid / sectionid / cmid
+
+        // Note: all the checks along the function MUST be performed for $userid, that
+        // is the user who "requested" the course backup, not current $USER at all!!
+
+        // First of all, check the main backup[course|section|activity] principal caps
+        // Lacking the corresponding one makes this to break with exception always
+        switch ($type) {
+            case backup::TYPE_1COURSE :
+                $DB->get_record('course', array('id' => $id), '*', MUST_EXIST); // course exists
+                require_capability('moodle/backup:backupcourse', $coursectx, $userid);
+                break;
+            case backup::TYPE_1SECTION :
+                $DB->get_record('course_sections', array('course' => $courseid, 'id' => $id), '*', MUST_EXIST); // sec exists
+                require_capability('moodle/backup:backupsection', $coursectx, $userid);
+                break;
+            case backup::TYPE_1ACTIVITY :
+                get_coursemodule_from_id(null, $id, $courseid, false, MUST_EXIST); // cm exists
+                $modulectx = get_context_instance(CONTEXT_MODULE, $id);
+                require_capability('moodle/backup:backupactivity', $modulectx, $userid);
+                break;
+            default :
+                print_error('unknownbackuptype');
+        }
+
+        // Now, if backup mode is hub or import, check userid has permissions for those modes
+        switch ($mode) {
+            case backup::MODE_HUB:
+                require_capability('moodle/backup:backuptargethub', $coursectx, $userid);
+                break;
+            case backup::MODE_IMPORT:
+                require_capability('moodle/backup:backuptargetimport', $coursectx, $userid);
+                break;
+        }
+
+        // Now, enforce 'moodle/backup:userinfo' to 'users' setting, applying changes if allowed,
+        // else throwing exception
+        $userssetting = $backup_controller->get_plan()->get_setting('users');
+        $prevvalue    = $userssetting->get_value();
+        $prevstatus   = $userssetting->get_status();
+        $hasusercap   = has_capability('moodle/backup:userinfo', $coursectx, $userid);
+
+        // If setting is enabled but user lacks permission
+        if (!$hasusercap && $prevvalue) { // If user has not the capability and setting is enabled
+            // Now analyse if we are allowed to apply changes or must stop with exception
+            if (!$apply) { // Cannot apply changes, throw exception
+                $a = new stdclass();
+                $a->setting = 'users';
+                $a->value = $prevvalue;
+                $a->capability = 'moodle/backup:userinfo';
+                throw new backup_controller_exception('backup_setting_value_wrong_for_capability', $a);
+
+            } else { // Can apply changes
+                $userssetting->set_value(false);                              // Set the value to false
+                $userssetting->set_status(base_setting::LOCKED_BY_PERMISSION);// Set the status to locked by perm
+            }
+        }
+
+        // Now, enforce 'moodle/backup:anonymise' to 'anonymise' setting, applying changes if allowed,
+        // else throwing exception
+        $anonsetting = $backup_controller->get_plan()->get_setting('anonymize');
+        $prevvalue   = $userssetting->get_value();
+        $prevstatus  = $userssetting->get_status();
+        $hasanoncap  = has_capability('moodle/backup:anonymise', $coursectx, $userid);
+
+        // If setting is enabled but user lacks permission
+        if (!$hasanoncap && $prevvalue) { // If user has not the capability and setting is enabled
+            // Now analyse if we are allowed to apply changes or must stop with exception
+            if (!$apply) { // Cannot apply changes, throw exception
+                $a = new stdclass();
+                $a->setting = 'anonymize';
+                $a->value = $prevvalue;
+                $a->capability = 'moodle/backup:anonymise';
+                throw new backup_controller_exception('backup_setting_value_wrong_for_capability', $a);
+
+            } else { // Can apply changes
+                $anonsetting->set_value(false);                              // Set the value to false
+                $anonsetting->set_status(base_setting::LOCKED_BY_PERMISSION);// Set the status to locked by perm
+            }
+        }
+
         return true;
     }
 }