I have a (AT Blob) file that users upload to a Plone 4.3 site.
It contains names and dates and is used by a view to display 'who has birthday today.
I want to disable download of the file.
What would be the best way of doing this?
PS: I also have dexterity content types on the site, so making a new content type is also an option.
I'd use the fields view permission setting.
I always feel reluctant to call something "the best".
One approach could be: you change the permission to role mapping for this file (--> .../manage_access) removing the "View" permission from those roles you want to prevent from downloading (this should prevent view and download) (be careful, workflow may control this permission and undo your manual changes; usually "File" has no workflow - but otherwise, surprises are possible). Of course, you now must provide special means to views presenting this file (as by default, they no longer can view it). For this, you can use so called "proxy roles". They are assignable via the ZMI to page templates and can be defined in "*.metadata" files for "FSPageTemplate" objects. To set proxy roles in Python code, you can use dm.zopepatches.security (to be found on PyPI) -- more precisely, the functions defined in its proxy module.
@dieter you're thinking too complex. It is much simpler.
Both Archetypes and Dexterity have field level permissions. That's what they are made for.
Also please never advice touching manage_access view. This wont result in stable settings in Plone because workflow may override it.
Thanks for the help.
I used normal permissions for viewing the file.
Then I used dm.zopepatcher to let the browser view read the file.
This seems to be working perfect.
Browser views are usually not security restricted. Thus, you might be able to avoid the use of "dm.zopepatches.security".