Skip to content

Container 44883: Prevent anonymous multi-download access#11159

Open
matheuszych wants to merge 1 commit intoILIAS-eLearning:release_10from
matheuszych:bg/44883
Open

Container 44883: Prevent anonymous multi-download access#11159
matheuszych wants to merge 1 commit intoILIAS-eLearning:release_10from
matheuszych:bg/44883

Conversation

@matheuszych
Copy link
Copy Markdown
Contributor

@matheuszych matheuszych commented Feb 20, 2026

https://mantis.ilias.de/view.php?id=44883

Aims to allow anonymous user to start download job in container and allow anonymous user to see the notification center.
@thojou @mjansenDatabay

@matheuszych
Copy link
Copy Markdown
Contributor Author

matheuszych commented Feb 20, 2026

@matthiaskunkel
I believe this is not a trivial change and should be discussed by the Jour Fixe. Please correct me if i am wrong about this.

Agenda note (Jour Fixe):

Decision needed: Enable anonymous users to perform the “Download Multiple Objects” action (Container) and to view Notifications (Notifications). This alters default ILIAS behavior and affects two components. The current UI already shows the download button but denies execution. Even if execution were permitted, the user would not be shown the download link. Should both actions be available to anonymous users? Otherwise, the “Download Multiple Objects” action should probably not be shown to anonymous users in the first place.

@mjansenDatabay
Copy link
Copy Markdown
Contributor

mjansenDatabay commented Feb 20, 2026
edited
Loading

Hi @matheuszych ,

I have a question: If you as anonymous person A initiated a multi-download in the graphical user interface, and this task is then successfully processed by the ILIAS background tasks, how do you ensure that anonymous person B does not see the processed item in the notification center? AFAIK there is currently no concept of identifiable anonymous initiators for background tasks. Seeing finalized background tasks of other individuals would be confusing IMO. We should not do this.

Even if we decide to propose a concept of identifiable anonymous initiators for background tasks, I strongly recommend protecting the downloadObject command by adding permissions checks.
It might be the case that such permission checks are already missing. However, even if we want to allow the Anonymous user to trigger a multi-download (which can of course cause load/work on the server(s) and consume a lot of disk space), this feature should only available (IMO) if the current actor is assigned to at least one ILIAS role with granted access to the multi-download of files/folders (maybe read is sufficient here, but this is the decision of the authority/domain where the multi-download functionality is currently offered). The Anonymous user is (or should be) always assigned to the Anonymous role (obj_id = 14), so granting required permissions should be possible

Best regards,
Michael

@matheuszych
Copy link
Copy Markdown
Contributor Author

matheuszych commented Feb 20, 2026

Hello @mjansenDatabay ,

thank you for your feedback!

I just tested the behavior you described, and unfortunately it works exactly as you said: anonymous user B can see anonymous user A’s notification (background task). This is not only confusing but also poses a spam risk for other users. This definitely would need to be addressed. For example via session tracking, where regular users could be allowed multiple simultaneous sessions, whereas each anonymous-user session would be isolated and treated as a separate user.

The file object has its own permission set. There, you can configure whether anonymous users have the “Visible” and “Read” permissions.

The “Visible” permission lets a user see that a file exists, its name, file type, size, and upload date. It also displays the message: “To access this item you need to be logged in and have appropriate permissions.”
To view and download the file, the user additionally needs the “Read” permission. Therefore, it is up to the file owner to allow anonymous users to download it.

Currently, all ilContainerGUI::downloadObject calls are blocked for anonymous users, regardless of their permissions. However, with the appropriate permissions, they can still download specific individual files, just not in bulk.

The easiest approach here would be to hide the “Download Multiple Objects” action for anonymous users. They could still download the files one by one (with correct permissions).

Best regards
@matheuszych

@matheuszych matheuszych changed the title BG 44883: Allows anonymous user to start download job in container and allows anonymous user to see the notification center [WIP] BG 44883: Allows anonymous user to start download job in container and allows anonymous user to see the notification center Feb 23, 2026
@matthiaskunkel
Copy link
Copy Markdown
Member

matthiaskunkel commented Feb 23, 2026

Jour Fixe, 23 FEB 2026: We agree with Thomas' suggestion and prevent the download of multiple objects for the Anonymous user due to conceptual problems (user sessions...). Allowing the download of multiple objects for Anonymous would require additional implementation efforts beyond this bugfix. Nevertheless, Anonymous can download selected objects one by one.

@matheuszych matheuszych changed the title [WIP] BG 44883: Allows anonymous user to start download job in container and allows anonymous user to see the notification center BG 44883: Allows anonymous user to start download job in container and allows anonymous user to see the notification center Feb 23, 2026
@matheuszych
Copy link
Copy Markdown
Contributor Author

matheuszych commented Feb 24, 2026

Hello @matthiaskunkel ,
i believe the JourFixe label can now be removed?

@matthiaskunkel
Copy link
Copy Markdown
Member

matthiaskunkel commented Feb 24, 2026

Yes, you are right, @matheuszych

@thojou thojou requested review from alex40724 and kergomard April 27, 2026 15:32
@thojou
Copy link
Copy Markdown
Contributor

thojou commented Apr 27, 2026

Hey @kergomard and @alex40724,

could you please have a quick look at the changes as we are only chaning code in your components.
Thanks you in advance.

Best Regards,
@thojou

kergomard
kergomard approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kergomard kergomard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for the fix @matheuszych and @thojou

I agree with the changes in ilObjectListGUI.

Best,
@kergomard

@matheuszych
Container: Prevent anonymous multi-download access
3b03663 
See: https://mantis.ilias.de/view.php?id=44883

Anonymous users were offered the multi-download control and could still hit `ilContainerGUI::enableMultiDownloadObject` or `downloadObject` directly. `ilObjectListGUI::insertMultiDownloadCommand` now returns early for anonymous sessions, and `ilContainerGUI` shows a permission failure, returns to the parent controller, and skips enabling or serving downloads for anonymous or zero user ids.
@matheuszych matheuszych changed the title BG 44883: Allows anonymous user to start download job in container and allows anonymous user to see the notification center Container 44883: Prevent anonymous multi-download access May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kergomard kergomard kergomard approved these changes

@alex40724 alex40724 Awaiting requested review from alex40724

Assignees

@thojou thojou

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@matheuszych @mjansenDatabay @matthiaskunkel @thojou @kergomard @dsstrassner