Maybe it's a very silly/easy question, for which I'm missing the obvious solution, but I'm really struggling to figure out how to securely show FileDocument objects to anonymous users, without them being able to access just any object from that table? Situation: Tickets can be viewed by anonymous user via a DeepLink. I've created a non-persistable domainmodel to make sure that anonymous users can't view other tickets. Tickets can have attachments, attachments are FileDocs and FileDocs can only be persistant. Which is where my problem starts. I can't apply entity access (there is no user) and delete behavior between the non-persistable ticket and persistable FileDoc doesn't do anything (because the Ticket is non-persistable probably) . Does anyone know of a solution for this issue?
We created a non persistent object also for the file documents. We create and fill those from the file documents and show that list. In the non persistent object we also put the filedocument ID so that you can use that ID is something needs to be done with the filedocument (such as downloading etc.).