Some ACLs (i.e. download) on Document level do not work


we have some document types for which we need “download document file” permission on document level. We add/remove this permission via workflow which is working well. But I noticed that “download file” (and some other functions) are only available if I have set them on the document type level (for all documents on that type, not the individual one). Please see the example below:

  1. user A has a role, which does not allow to download documents.
  2. now that role gets the document permission added to download document files via workflow:

  1. now that the user has the permission to download, the “download” function is missing (also in REST API)


  1. If I add the permission to the document type (which I do not want), the function is there

Other functions (i.e. delete document file) do work on document level like expected.

Why not:

  • download document file
  • add document file
  • edit document file
  • … and others?

How can I fix this?

Best regards


I’ve scheduled a lab and audit to check the test suit and ensure that this is not an error with the permission system.

Thanks for looking into this. Here are the very minimal steps to reproduce. Sorry, this looks like a lot of text but it is really simple and self declarative.

  • create a new role “orders” → no permissions
  • create a new group “orders” → no permissions
  • create a new user “Testuser” → no permissions
  • create a new document type “order”
  • assign
    • user Testuser → group orders
    • group orders → to role orders
    • role orders → document type orders

Now assign the following permissions to role orders for document type order:

  • create document
  • view document
  • edit document
  • view document files
  • edit document files

Now login as Testuser, add an order document with file and you can see that the we have the inerrited permissions from the role document type “orders”: this is correct.

Now add the document level permission (as admin user) Download Document File. When checking permissions, it is listed correctly (inherrited permissions plus individual download file permission). But the download button is missing.

Now add the Download Document File as document typer permission (for role order) - so that it is also inherrited from document tpye. Now the download button is there.

If I do all the same for example for delete document file everything is working like exprected.


I have not been able to replicate this on multiple attempts.

  • User “test” on group “test” on role “test”.
  • ACL for document type “Default” and role “test”.

Case 1

Download link is not enabled:

Case 2

Permission “Document file download” added to the document type “Default” via the ACL.

Download link is enabled:

Case 3

Permission “Document file download” added to the role “test” directly.

On the ACL the permission is gray and shows as inherited.

Download link is enabled:

Tested on versions 4.5.11, 4.6.3, 4.7rc1.