evaluate publish flags in the full derivative path
eu.etaxonomy.cdm.remote.controller.OccurrenceController.doGetOccurencesDTO(@PathVariable(value="uuid") UUID uuid, HttpServletRequest request, HttpServletResponse response)
doGetFieldUnitDTO maybe also in other methods, the publish flag is checked only for the derivative for which the uuid is passed to the method. Originals are not checked though!
All DerivedUnits need to be checked though. The actual processing of the DerivedUnits takes place in the OccurrenceServiceImpl, therefore checking the publish flag must be done there.
During a call with Katja we discussed as solution to let the service check all the publish flags. In case one element in the derivation path is protected the service will throw an exception (UnpublishedEntityAccessException) which is caught by the controller to respond to the client in an appropriate way. By this the we can avoid exposing protected data from the FieldUnit which is included into the titleCache of derivatives.
#2 Updated by Andreas Müller 10 months ago
As far as I know the SpecimenOrObservation publish flag is not evaluated by webservices at all, yet (or only in very few cases). So this ticket should better be part of be transformed into a ticket which generally is about implementing publish flag evaluation for SpecimenOrObservation similar to the TaxonBase publish flag evaluation.