Use case: On a protected page (login required) the referenced images stored in the DMS should also not be accessible, even if the direct URL of the image is known.

Images are stored in the DMS under a protected path not accessible for anonymous access.

To protect these specific images from anonymous access, the anonymous role is denied access to that path in the DMS (using ACL settings).

This does not work because image variations created automatically store the referenced images in a different path like:

http://localhost:8080/magnoliaPublic/.imaging/stk/pop/content/dms/demo-project/protected/homer1/document/homer1.jpg

The path above is not protected by the previously defined ACL so the image is accessible using it's URL directly.

Also, in an STK teaser located above the path with the page containing the protected page/image the image might be shown as variation automatically because it is served from the images workspace.

See attachment for an example where the protected image is shown for an anonymous user by the STK component.

In conclusion, the permissions for DMS/DAM/anything else should be transitively applied to the content in imaging.