Access levels
Four levels of who-can-see-this for vault files, plus how approval requests, grants and revocation work.
Every file in a UnitVault has exactly one access level. The level controls who can see the file in the listing's documents block and who can download it. Here are the four, in increasing order of restriction.
Public
Anyone with the listing URL — signed in or not — can see the file and download it.
Use this for things you'd put in a brochure: spec sheets, a stamped overview certificate, generic equipment manuals. Files at this level are listed, indexed and downloadable without sign-in.
Sign-in required
Visible to any signed-in user. Guests see "Sign in to download" instead of the download button.
Use this for content you're happy any registered Haubot user can have but not the open internet: low-risk service summaries, photos that include serial numbers, basic invoices.
Approval required
Visible in the listing's documents block, but each user has to request access individually. The seller approves or denies, optionally with an expiry. Approvals are tracked as grants; the seller can revoke any grant at any time.
This is the level for documents where you want to know who's looking — proof of ownership, detailed inspection reports, financials, anything you'd consider proprietary or sensitive.
Lifecycle of an approval-required file
- Buyer sees the file in the documents block with a "Request access" button.
- Buyer submits a request with a short message ("I'm a verified dealer evaluating this for a client").
- Seller sees the request in their dashboard's Access control panel and decides.
- Approve. A grant is created, optionally with an expiry. The buyer's button flips to "Download". The grant is recorded; if it expires or the seller revokes, the button flips back.
- Deny. The seller can write a reason; the buyer sees the request status as denied. They can submit a new request later if they want.
Idempotency rules
- A buyer can only have one pending request per file. A second click while pending returns the existing request.
- A buyer's existing active grant lets them download immediately; the request flow is bypassed.
- Revoking a grant is immediate — the next download attempt fails. Snapshots that include the file are unaffected.
Internal only
Visible only to the seller's team and Haubot staff/admins. Buyers never see these files exist — they're filtered out at the database query, not just hidden in the UI.
Use this for things that should never reach buyers: internal valuations, draft documents, communication between the seller's staff, files that aren't ready for review.
How buyers see the difference
A buyer scrolling the documents block sees an access badge next to each file. The badge text adapts to the buyer's actual state:
- Public — green
- Sign-in required — sky blue (turns into "Sign in to download" CTA for guests)
- Approval required — orange. Becomes:
- "Request pending" (orange clock) when the buyer has submitted a request - "Access granted" (green shield) when the buyer has an active grant — at this point the badge matches the Download button colour, no contradiction
- Internal only — never shown to buyers (the file isn't returned to them at all)
What the seller sees
In /dashboard/listings/{id}/vault, the Access control panel has two sub-sections:
- Pending requests — every buyer waiting for a decision. Approve (with optional expiry: 7 days, 30 days, never) or deny (with optional reason).
- Active grants — every buyer who currently has access. Revoke any time.
Both lists update live as buyers click through.
Audit log
Every meaningful operation is recorded:
ACCESS_REQUESTED— buyer submitted a requestACCESS_GRANTED— seller approved, grant createdACCESS_DENIED_REQUEST— seller denied a requestACCESS_WITHDRAWN— buyer withdrew their pending requestACCESS_REVOKED— seller revoked an active grantACCESS_DENIED— a download attempt was refused at the gate (rare; usually means the grant expired between page load and click)
The log has IP addresses and user-agent strings on every row. Use this when a buyer claims they had access "and then suddenly didn't" — the log will show whether the grant was revoked, expired, or never existed.
How this interacts with snapshots
A snapshot freezes the state of every file including its access level at the time of snapshot. Later changes to the access level affect the live vault, not the snapshot. If a buyer downloads a snapshot package later, they receive the files appropriate to their current level — not the level at snapshot time. The snapshot proves what was disclosed; the present access level controls what each buyer can pull now.