BIM 360 Document Manager will introduce a new permission: View without download. This affects applications downloading files from BIM 360 Hubs with Data Management API.
As of today, if the user in the given access token (3LO access token or a 2LO access token + the impersonated user) has the “View Only” permission on a folder assigned through BIM Docs UI, it was assumed that the user also had permission to download the files in that folder (using storage url).
With this change, if the user is assigned “View Only” permission using the new permission model through BIM 360 Document Manager, the user will have permission to view a version (e.g. using Viewer), but will not be able to download the original file (e.g. Revit file).
How should an application adjust for this change?
- Check permissions command: use this endpoint to check if the user has the required permissions on the folder(s), in this case, “download”.
- Storage URL: the relationships.storage.meta.link.href attribute will return 403 if the access token has no permission to download the file.
Additional information for an existing consumer of Check Permission API:
- “View” permission check from the user will return permission: true for users who have permission to view the file (with or without download permission).
- "Read" permission check from the user will return permission: true for users who have permission to view and download the file, so it will return permission: false response if users have “View Only” or “Upload Only” permission.