Assets on WSO2 ES are retrieved by a direct URL, without access control.
Despite not assign permissions to anonymous users, once a user have the URL to an asset, everyone knowing that URL can download the resource.
Is there any plan to implement access control to assets?
This seems to be a bug as the access rights are supposed to be checked before serving the resource. The list of allowed roles are specified in the configuration files found in the ext/config/ folder .An example of its usage can be found in /store/config/ext/gadget.json;
I have logged a JIRA for this issue [1] and we will have it fixed in the next release.
[1] https://wso2.org/jira/browse/STORE-383
Thanks, Sameera