Original document access limitation based on Access Rights

I would like to limit access to an original document based on Access Rights field content : idea is to only give access to the thumbnail rather than original in public show.php. (original document would still be accessible to authorized users)

I think I can add a condition in my theme items/show.php (though I’m not sure of the best way to do so…) to get the thumbnail instead of original file, but I want to be sure that the original file cannot be accessed with its URL.
If I change the rights on the file when uploading it, wouldn’t I also restrict access for logged users ?

Do you have any idea about the proper way to do so ? Did someone already experienced this situation ?

You’ll need to loop through the files manually on items/show.php

$f = loop('files', $item->Files);
foreach ($f as $file){
    if( $hasAccess )  {
              $url = $file->getWebPath('original'); // for those with full access
              $url = $file->getWebPath('thumbnail'); // for those with limited access

You’ll need to define $hasAccess based on whatever criteria you’re using, but that should work. It will show the appropriate file based on those criteria, and the thumbnail will have a generated filename so it probably won’t be possible for an end user to manipulate the URL to get the original filename.

You could do something like this to get a user’s access level and test whether the item is restricted…

$userHasAccess = ( is_allowed( $item, 'view' ) ? true : false; // e.g. a Researcher user
$isRestricted = ( metadata( $item,array('Item Type Metadata', 'Access Rights') ) == 'restricted' ) ? true : false; // assuming this is an item-level custom field where the value "restricted" is the key word
$hasAccess = ( !isRestricted || ($isRestricted && $userHasAccess) );

Thanks for your feeback. FYI, I did something like that in my items/show.php :

$accessRights = metadata('item', array('Dublin Core', 'Access Rights'));
          if ($accessRights == 'Restricted') {
            $size = 'thumbnail';
            $linkToFile = false;
          else {
            $size = 'fullsize';
            $linkToFile = 'fullsize';
          echo files_for_item(array('imageSize' => $size, 'linkToFile' => $linkToFile));

Your solution has the advantage of taking user’s access level into account, but you don’t seem to be using files_for_item() function at all ?

Yet, my main issue is that I did not find a proper way to prevent accessing the files in original directory directly by their URLs, like : http://my-omeka-website.local/files/original/dezdgetzgdzetdgz.jpg. Indeed, it is quite easy to get to this URL when we get the filename hash.

For instance, I didn’t find anything but adding a rule in the .htaccess, redirecting every query in files/original directory to a custom plugin that checks for restriction… I don’t feel really satisfied with that.