Limitations needed on metadata export by guest user #112

app/access/AccessType.java

@@ -58,7 +58,9 @@ public enum AccessType {
 	VIEW_ANALYSIS_HISTORY("This user can view the analysis-mode history of an image attribute", new String[] {"project"}),
 
 	DELETE_USERS("Allows user to delete users",new String[] {"user"}),
-	MIMIC_USERS("Allows user to mimic users",new String[] {"user"});
+	MIMIC_USERS("Allows user to mimic users",new String[] {"user"}),
+
+	VIEW_DATA_MODE("Allows the user to view data mode data",new String[] {"project"});
 
 	public String description;
 	public String[] types;

app/controllers/ImageBrowser.java

@@ -231,6 +231,7 @@ public static void resolveFile(Path path, String mode, Project project, Float sc
 
 	@ModelAccess(AccessType.LISTED)
 	public static void downloadAttributes(Project project, Path path, boolean dataMode) {
+		if (dataMode && !PermissionService.hasInheritedAccess(Security.getUser(), project,AccessType.SET_DATA_MODE)) dataMode = false; //TODO change this
 		if (!PermissionService.userCanAccessPath(Security.getUser(),path)) forbidden();
 
 		DatabaseImage image = DatabaseImage.forPath(path);
@@ -247,6 +248,7 @@ public static void downloadAttributes(Project project, Path path, boolean dataMo
 	}
 
 	public static void importAttributes(Project project, Path path, File file, boolean dataMode) throws IOException {
+		if (!PermissionService.hasInheritedAccess(Security.getUser(), project,dataMode ? AccessType.EDIT_DATA_METADATA : AccessType.EDIT_ANALYSIS_METADATA)) forbidden();
 		if (!PermissionService.userCanAccessPath(Security.getUser(),path)) forbidden();
 
 		DatabaseImage dbi = DatabaseImage.forPath(path);