A user without download right be able to download a dataset

[navabpourn]

Describe the bug As a user, I have only the READ right of a dataset and I am able to download it.

To Reproduce The first user (nafiseh) uploads a dataset. The first user gives the READ right of this dataset to the second user (naf-UFZ). The second user is able to see the dataset and download all available format of the dataset, also attachments.

Expected behavior The second user should be able only to see the dataset on the browser.

This is found in BEXIS2.12.1

[sventhiel-zz]

Hi @navabpourn,

To some extend, this issue is related to #221. There was a long discussion going on about the set of rights. I changed it but not properly. That's why the dataset is downloadable, even with "read" access only. In general, "view" would be enough for a user to copy/paste the data. For that reason, I changed the check. Currently, "view" fulfills the requirement to download a dataset. But we are going to change/fix it within the next release.

Best regards Sven

[navabpourn]

Thanks a lot dear @sventhiel

[navabpourn]

Dear @ DavidBlaa,

In the current version (v2.12.1) the user with the right to read cannot see the attachments at all. To view and download the attachments, the user must have the right to download.

Cheers, Nafiseh

[DavidBlaa]

I made the following changes. The primary data can only be downloaded if you have download rights. The attached documents can now be opened if you have read rights.

[navabpourn]

Dear @DavidBlaa The test results in 2.12.2: If (upload on a Dataset connected to a File Data Structure) and (I have Read right) Then (I cannot download primary data) But If (I click on the Download button, top right) Then (The primary data will download with attachments and metadata).

[DavidBlaa]

After a few conversations, we have now decided to remove that download right from our system.

[DavidBlaa]

Tested it in 2.12.2_2 and it works fine