From 4e81246bfc2d3c6a8b652c367aad521bdfeb6ac7 Mon Sep 17 00:00:00 2001
From: Ben Pennell <bbpennel@email.unc.edu>
Date: Wed, 30 Nov 2022 10:22:36 -0500
Subject: [PATCH] Return 401s if an unauthorized user attempts to download a
 workflow restricted file

---
 app/controllers/hyrax/downloads_controller.rb       |  6 +++++-
 spec/controllers/hyrax/downloads_controller_spec.rb | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/app/controllers/hyrax/downloads_controller.rb b/app/controllers/hyrax/downloads_controller.rb
index 6edfdfe1f7..cee6d8d88d 100644
--- a/app/controllers/hyrax/downloads_controller.rb
+++ b/app/controllers/hyrax/downloads_controller.rb
@@ -42,7 +42,11 @@ def derivative_download_options
     # that files are in a LDP basic container, and thus, included in the asset's uri.
     def authorize_download!
       authorize! :download, params[asset_param_key]
-    rescue CanCan::AccessDenied
+      # Deny access if the work containing this file is restricted by a workflow
+      file_set = Hyrax.query_service.find_by_alternate_identifier(alternate_identifier: params[asset_param_key], use_valkyrie: Hyrax.config.use_valkyrie?)
+      return unless workflow_restriction?(file_set.parent, ability: current_ability)
+      raise Hyrax::WorkflowAuthorizationException
+    rescue CanCan::AccessDenied, Hyrax::WorkflowAuthorizationException
       unauthorized_image = Rails.root.join("app", "assets", "images", "unauthorized.png")
       send_file unauthorized_image, status: :unauthorized
     end
diff --git a/spec/controllers/hyrax/downloads_controller_spec.rb b/spec/controllers/hyrax/downloads_controller_spec.rb
index d00debdd64..d30f26fce4 100644
--- a/spec/controllers/hyrax/downloads_controller_spec.rb
+++ b/spec/controllers/hyrax/downloads_controller_spec.rb
@@ -26,6 +26,18 @@
       end
     end
 
+    context 'when restricted by workflow' do
+      before do
+        allow(subject).to receive(:workflow_restriction?).and_return(true)
+      end
+
+      it 'returns :unauthorized status with image content' do
+        get :show, params: { id: file_set.to_param }
+        expect(response).to have_http_status(:unauthorized)
+        expect(response.content_type).to eq 'image/png'
+      end
+    end
+
     context "when user isn't logged in" do
       context "and the unauthorized image exists" do
         before do