#294: bibdocfile: never stream HIDDEN files over web, even to admins
-----------------------+----------------------------------------------------
Reporter: simko | Owner: skaplun
Type: defect | Status: new
Priority: critical | Milestone: v1.0
Component: WebSubmit | Version:
Keywords: |
-----------------------+----------------------------------------------------
When a file is attached to a record with the HIDDEN flag on, the file is
currently still discoverable and streamable over web when one is logged in
as admin. This should not be so, because then the file is not really fully
hidden from the outside world. A really hidden file should stay hidden to
anyone for remote web access, regardless of the logged in personality. A
remote web access would differ from the local CLI access in this regard.
(WRT discoverability vs streamability via the web, the
`/record/123/files/?verbose=9` may still show its existence to the admin,
but the file itself should not be streamable to the admin.)
--
Ticket URL: <http://invenio-software.org/ticket/294>
Invenio <http://invenio-software.org>
