As we work on various use cases for the Nuxeo Platform, we always come across requirements that give us an opportunity to introduce new features or enhance the existing ones. Today, I will talk about one such requirement: Limiting the download of attached files in a Document.

Let’s extend the requirement by adding the condition that a user should be able to download only some of the attached files of a Document.

The perfect example is a picture or image file. When you upload a picture in the Nuxeo Platform, additional formats will be automatically generated (most of the time with lower resolutions). It is fully customizable and there are a few default formats. Here is an example of what is generated from a Photoshop file.

Screen Shot 2015-11-03 at 16.51.17

It is very convenient that the Nuxeo Platform generates these additional formats but maybe you want to restrict some users from downloading the original format or maybe even the original-size JPEG. This is where we will use the new feature, File Download Security, available in our latest release Nuxeo Platform LTS 2015.

The File Download Security Documentation explains this feature very clearly with examples. There is a new extension point that allows us to define a scriptable permission to decide if the download is authorized or not.

Here is the condition that I have set up (directly in the XML extensions of my Studio project). The condition is that users from the group “LimitedDownload” cannot download the main file or the original-size JPEG:

<extension target="" point="permissions">
   <permission name="limited">
         function run() {
            if (CurrentUser.getGroups().contains("LimitedDownload")){
               if (XPath == "file:content" || XPath == "blobholder:0" || XPath == "OriginalJpeg:content" ) {
                  return false;
            return true;

That’s it! Users from the “LimitedDownload” group will now get a permission denied error when accessing the restricted file. Now, we are working on improving the UI for the response.

Another thing I like about this is that this is a low level security (not UI based), so it will work the same through API calls. In my example, I did not restrict all the ways to download. For instance, our restricted user can still export the files as a zip folder and get all the formats at once. Let’s make it your homework assignment :) You can try it out and let us know what you think.