When policy enforcement is turned on, and there is a policy in place to allow file uploads from specified paths, only an authenticated user is allowed to see the created externally-managed datastream. Attached is a transcript of what takes place, but in summary, I'm allowed, as fedoraAdmin, to create objects with M and E datastreams whose content is uploaded via the file URI; however, when I attempt to view the Externally Managed datastreams (E) as an unauthenticated anonymous user, I get a "Policy blocked datastream resolution" exception in the logs, caused by a "AuthzDeniedException":
Caused by: org.fcrepo.server.errors.authorization.AuthzDeniedException:
at org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:422) [fcrepo-server-3.4-SNAPSHOT.jar:na]
at org.fcrepo.server.security.DefaultAuthorization.enforceRetrieveFile(DefaultAuthorization.java:1660) [fcrepo-server-3.4-SNAPSHOT.jar:na]
at org.fcrepo.server.storage.DefaultExternalContentManager.getFromFilesystem(DefaultExternalContentManager.java:242) [fcrepo-server-3.4-SNAPSHOT.jar:na]
If I retrieve the E datastream authenticated as the fedoraAdmin, then I can see it. Datastreams of other types within the same object are visible to the world, as expected.
Creation of externally-managed datatstreams that use a file URI should be controlled by the file-resolution policies, but once the datastreams are created, they should be visible to the world according to the same rules that apply to M, R, and X datastreams in an object.
See attachments for a transcript of a test showing this behavior, and a sample policy file that replaces deny-unallowed-file-resolution.xml.