Restricted Thumbnails don't load for any users #1579
Labels
authorization
related to authorization, permissions or groups
bug
component: Item
(Archived) Item display or editing
Estimate TBD
help wanted
Needs a volunteer to claim to move forward
high priority
Projects
Milestone
(Discovered during the review of #1556, but it's not specific to Withdrawn Item thumbnails)
Describe the bug
When a Thumbnail image has any sort of access restrictions, it is unable to display even to EPersons who have those access rights. As a basic example, if you modify a Thumbnail image bitstream to have an Administrator READ policy (without an Anonymous READ policy), then that Thumbnail will no longer be displayed for any users, even Administrators. Any time it is accessed, a 401 response will be sent back by the REST API.
As described in 1556, the issue appears to be that the thumbnail gets rendered (see
thumbnail.component
) by putting its/content
link directly in the template and letting the browser retrieve it. So there is no authorisation or short lived token added.The solution would be just like for restricted downloads to retrieve a short-lived token first, and add it to the contents url. However this is an image shown/resolved by the browser on item page/search grid view/..., so can't go through a 'download page' like done for (restricted) downloads...
To Reproduce
One basic example:
Expected behavior
Ideally, restricted thumbnails should still be displayed to users who have permissions to view them.
** Workaround **
Currently, the workaround is to ensure all Thumbnails are publicly available. If you encounter this issue, you can modify the policies of the Thumbnail bitstream to ensure it has an Anonymous READ policy.
Related work
The text was updated successfully, but these errors were encountered: