Assets on WSO2 ES are retrieved by a direct URL, without access control.
Despite not assign permissions to anonymous users, once a user have the URL to an asset, everyone knowing that URL can download the resource.
Is there any plan to implement access control to assets?
This seems to be a bug as the access rights are supposed to be checked before serving the resource. The list of allowed roles are specified in the configuration files found in the ext/config/ folder .An example of its usage can be found in /store/config/ext/gadget.json;
"storage": {
"images_banner": {
"lifecycle": {
"created": ["private_{overview_provider}"],
"in-review": ["reviewer", "private_{overview_provider}"],
"published": ["Internal/everyone", "private_{overview_provider}", "reviewer","anon"],
"unpublished": ["private_{overview_provider}"]
}
},
"images_thumbnail": {
"lifecycle": {
"created": ["private_{overview_provider}"],
"in-review": ["reviewer", "private_{overview_provider}"],
"published": ["Internal/everyone", "private_{overview_provider}", "reviewer","anon"],
"unpublished": ["private_{overview_provider}"]
}
}
}
I have logged a JIRA for this issue [1] and we will have it fixed in the next release.
[1] https://wso2.org/jira/browse/STORE-383
Thanks, Sameera
