Return 401s if an unauthorized user attempts to download a workflow r…

…estricted file

app/controllers/hyrax/downloads_controller.rb

@@ -3,6 +3,7 @@ module Hyrax
   class DownloadsController < ApplicationController
     include Hydra::Controller::DownloadBehavior
     include Hyrax::LocalFileDownloadsControllerBehavior
+    include Hyrax::WorkflowsHelper # Provides #workflow_restriction?
 
     def self.default_content_path
       :original_file
@@ -42,7 +43,11 @@ def derivative_download_options
     # that files are in a LDP basic container, and thus, included in the asset's uri.
     def authorize_download!
       authorize! :download, params[asset_param_key]
-    rescue CanCan::AccessDenied
+      # Deny access if the work containing this file is restricted by a workflow
+      file_set = Hyrax.query_service.find_by_alternate_identifier(alternate_identifier: params[asset_param_key], use_valkyrie: Hyrax.config.use_valkyrie?)
+      return unless workflow_restriction?(file_set.parent, ability: current_ability)
+      raise Hyrax::WorkflowAuthorizationException
+    rescue CanCan::AccessDenied, Hyrax::WorkflowAuthorizationException
       unauthorized_image = Rails.root.join("app", "assets", "images", "unauthorized.png")
       send_file unauthorized_image, status: :unauthorized
     end

spec/controllers/hyrax/downloads_controller_spec.rb

@@ -26,6 +26,18 @@
       end
     end
 
+    context 'when restricted by workflow' do
+      before do
+        allow(subject).to receive(:workflow_restriction?).and_return(true)
+      end
+
+      it 'returns :unauthorized status with image content' do
+        get :show, params: { id: file_set.to_param }
+        expect(response).to have_http_status(:unauthorized)
+        expect(response.content_type).to eq 'image/png'
+      end
+    end
+
     context "when user isn't logged in" do
       context "and the unauthorized image exists" do
         before do