I see that if a user is granted with Read permission for a workspace, he can view and EXPORT everything in that workspace to a file, and if he install a new instance of nuxeo (quite easy due to the excelent work from Nuxeo team) he can then import every thing to it and have that workspace at hand with full access rights.
I'm quite embarrassed, or even terrified, with the fact that a user with lowest access right (Read permission) can easily download EVERYTHING from workspace structure to content, files... inside and bring home, upload (import) to new instance of Nuxeo and then become the owner of the full data. It's just like employee at a company: they are provided with everything at the office to work: computer, office machine and other properties. They have access to that in order to work at the office but absolutely they cannot take them home and become the owner of those properties.
If this is the case, in my opinion it would be a terrible thing regarding access right permission. I think that in the access right management, there should be setting to whether allow user to export workspace or not, just some very high-level users can export and users with low-level right such as Read right cannot export. I think the Export right should be even higher than Manage right (and of course much higher than Read, Write, Remove rights)
Could anyone please help me to clarify this point?
Thanks alot.
