Allow the configuration of security policies that will allow or not a blob to be downloaded by a user based on various factors.
- the document,
- the blob,
- the blob's xpath,
- the current user,
- the blob provenance (i.e. the download reason, for instance "rendition"),
- the rendition name, or other extended info available in the download context.
The new configuration is done through the following extension point:
The script must define a run() function that returns a boolean:
- true means that downloading the blob is not disallowed by this permission.
- false means that downloading the blob is forbidden.
The method will get called with the following global context (some values may be null): Document (DocumentModel), XPath (String), Blob (Blob), CurrentUser (NuxeoPrincipal), Reason (String), Rendition (String), Infos (Map).
If there are several permissions defined, a single one returning false is sufficient to forbid the blob download.
See the full documentation at https://doc.nuxeo.com/x/BI_RAQ