Feature Request/Idea: ViewUnpublishedDataset should not include file download

[pkiraly]

Overview of the Feature Request
There are two permissions which have undocumented hierarchical relationship: ViewUnpublishedDataset and DownloadFile. The user who has no DownloadFile, but has ViewUnpublishedDataset permission can download files, which is - according to our users* and I agree with them - counter intuitive. I expect that the person who does not have right to download files should not be able to download files.

On code level (https://github.com/IQSS/dataverse/blob/develop/src/main/java/edu/harvard/iq/dataverse/api/Access.java#L1868):

private boolean isAccessAuthorized(User requestUser, DataFile df) {
  ...

  if (!published) { // and restricted or embargoed (implied by earlier processing)
    // If the file is not published, they can still download the file, if the user
    // has the permission to view unpublished versions:

    // This line handles all three authenticated session user, token user, and guest cases.
    if (permissionService.requestOn(dvr, df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
      // it's not unthinkable, that a GuestUser could be given
      // the ViewUnpublished permission!
      logger.log(Level.FINE,
        "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.",
        dvr.getUser().getIdentifier());
      return true;
    }
  } else { // published and restricted and/or embargoed
    // This line also handles all three authenticated session user, token user, and guest cases.
    if (permissionService.requestOn(dvr, df).has(Permission.DownloadFile)) {
      return true;
    }
  }
  ...
}

There are two suggestions from our users:

1. The person who has permission ViewUnpublishedDataset can view the dataset and files metadata only without downloading files. The person who has permission ViewUnpublishedDataset AND DownloadFile can download files from unpublished dataset.
2. The permissions and dependencies among them should be clearly documented. Right now there is nothing about them in the documentation and in the user interface other than their names.

I think that introducing the first suggestion might break existing permissions, so if it would be introduced

1. there should be a migration process that would add DownloadFile permissions who has ViewUnpublishedDataset
2. there should be a flag to turn this feature on, so the administrator of the Dataverse service could decide to follow this policy or not

What kind of user is the feature intended for?
(Example users roles: API User, Curator, Depositor, Guest, Superuser, Sysadmin)

all

What inspired the request?

Inconsistency in the current behaviour of the software.

What existing behavior do you want changed?

Who can download files of unpublished datasets.

Any brand new behavior do you want to add to Dataverse?

No, but I would like to change who can download files from unpublished datasets.

Any open or closed issues related to this feature request?

Yes, see #4389 (comment)

• our users = users of GRO.data: academics of Göttingen Campus, the Max Planck Institutes, and of Lower Saxony academic network in Germany.

[pdurbin]

Hmm, my first thought is that perhaps we should have an issue and pull request to document the undocumented behavior!

Good catch!

[scolapasta]

None of the "shipped" roles have ViewUnpublishedDataset permission without also having DownloadFile permission, so I would be less concerned about "breaking" existing permissions. I think this is likely just a bug that we never noticed, because of that reason.

So I would vote we fix the code in there to look for DownloadFile permission, since, if I.understnad correctly, you have a use case where you want to give users a (custom) role where they can to view the metadata, but not download files?