diff --git a/doc/release-notes/11537-featured-items-retrieve-image-bug.md b/doc/release-notes/11537-featured-items-retrieve-image-bug.md new file mode 100644 index 00000000000..48d75a8b0b8 --- /dev/null +++ b/doc/release-notes/11537-featured-items-retrieve-image-bug.md @@ -0,0 +1,3 @@ +## BUG + +Featured Item creator can now view/download images when a dataverse is not published. ViewUnpublishedDataverse is not required for the featured item creator. diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/GetDataverseFeaturedItemCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/GetDataverseFeaturedItemCommand.java index c594887b6ed..23b9d421c7a 100644 --- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/GetDataverseFeaturedItemCommand.java +++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/GetDataverseFeaturedItemCommand.java @@ -30,8 +30,11 @@ public DataverseFeaturedItem execute(CommandContext ctxt) throws CommandExceptio @Override public Map> getRequiredPermissions() { - return Collections.singletonMap("", - dataverseFeaturedItem.getDataverse().isReleased() ? Collections.emptySet() - : Collections.singleton(Permission.ViewUnpublishedDataverse)); + // If the dataverse is not released only a user with ViewUnpublishedDataverse permissions or the creator can access the featured item and its images + if (!dataverseFeaturedItem.getDataverse().isReleased() && !getRequest().getUser().equals(dataverseFeaturedItem.getDataverse().getCreator())) { + return Collections.singletonMap("", Collections.singleton(Permission.ViewUnpublishedDataverse)); + } else { + return Collections.singletonMap("",Collections.emptySet()); + } } } diff --git a/src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java b/src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java index db5bf41053e..6ad509cb6ca 100644 --- a/src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java +++ b/src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java @@ -2184,6 +2184,17 @@ public void testListFeaturedItems() { .body("data[2].type", equalTo("custom")) .statusCode(OK.getStatusCode()); + // Verify that the unpublished image can be downloaded by its creator and not by a user without ViewUnpublishedDataverse permissions + JsonPath path = JsonPath.from(listDataverseFeaturedItemsResponse.body().asString()); + String imageUrl = path.getString("data[2].imageFileUrl"); + Response downloadResponse = given().get(imageUrl + "?key=" + apiToken); + downloadResponse.then().assertThat().statusCode(OK.getStatusCode()); + + Response createUserResponse2 = UtilIT.createRandomUser(); + String apiToken2 = UtilIT.getApiTokenFromResponse(createUserResponse2); + Response downloadResponse2 = given().get(imageUrl + "?key=" + apiToken2); + downloadResponse2.then().assertThat().statusCode(NO_CONTENT.getStatusCode()); + // Should return not found error when dataverse does not exist listDataverseFeaturedItemsResponse = UtilIT.listDataverseFeaturedItems("thisDataverseDoesNotExist", apiToken);