Bug #10125

Unauthenticated users can click on PDF derivatives when digital object master permissions are denied

Added by Dan Gillean almost 6 years ago. Updated over 5 years ago.

Status:VerifiedStart date:07/13/2016
Priority:MediumDue date:
Assignee:Dan Gillean% Done:


Category:Digital object
Target version:Release 2.3.0
Google Code Legacy ID: Tested version:2.3
Sponsored:No Requires documentation:


Reproduced in RC-1; I'll test to reproduce in my local VM as well.

This only seems to affect PDF derivative images - I'm guessing it might be due to the rename changes Radda made recently to deal with another issue?

  • Upload a PDF as a linked digital object
  • Ensure that anonymous permissions are set so View master = deny
  • Ensure that your description with the PDF is published
  • Log out, then navigate to the description with the linked PDF
  • Click on the reference image
Resulting error
  • User can click on the derivate
  • User is taken to a "page not found" message in AtoM
Expected result
  • User cannot click on PDF reference image when permissions to view the digital object master = deny
  • Behavior is consistent between PDF and other derivatives

Example in RC-1:


#1 Updated by José Raddaoui Marín almost 6 years ago

  • Status changed from New to Code Review
  • Assignee changed from José Raddaoui Marín to Jesús García Crespo

As disscussed in the chat, text objects are always allowed for reading, so it should be showing the PDF instead of the 404 page.

Ready for code review in PR 412

#2 Updated by José Raddaoui Marín almost 6 years ago

  • Status changed from Code Review to QA/Review
  • Assignee changed from Jesús García Crespo to Dan Gillean

Merged in stable/2.3.x and qa/2.4.x

#3 Updated by Dan Gillean almost 6 years ago

  • Requires documentation set to Yes

Adding a note that this requires documentation, because nowhere in our docs does it mention that access to PDF masters is always allowed. We should mention this in a couple places, I think:

  • Check if the Digital object upload page mentions that by default, public users do not have access to Master objects. If not, add it. If yes, add a line clarifying that this is not the case for PDFs
  • Add a note in the Edit permissions page about this

#4 Updated by Dan Gillean almost 6 years ago

  • Status changed from QA/Review to Verified

#5 Updated by Dan Gillean over 5 years ago

  • Requires documentation deleted (Yes)

Also available in: Atom PDF