Thanks for confirming my suspicion. Yeah, never a security/exposure issue.
Just unlogged in people wouldn't have seen all content that they should
have (if you had IPAuth and they matched a group).
I've filed a JIRA, and made the relevant patch. Testing welcome.
https://github.com/DSpace/DSpace/pull/632
https://jira.duraspace.org/browse/DS-2138
Basically, I just grab the context's special groups no matter what. (i.e.
not just if(currentUser != null){ )
________________
Peter Dietz
Longsight
www.longsight.com
pe...@longsight.com
p: 740-599-5005 x809
On Thu, Sep 4, 2014 at 4:35 PM, Mark Diggory <mdigg...@atmire.com> wrote:
> Hey Peter,
>
> I believe you are correct, the following method needs to have special
> groups added into listing
>
>
> https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/discovery/SolrServiceResourceRestrictionPlugin.java#L61
>
> I will note this is an error does not introduce any security flaw because
> its only excluding results that the user IP should have been able to see.
> The correction is to get the special groups off the Context and add them to
> the query in the above method.
>
> Cheers,
> Mark
>
>
> On Thu, Sep 4, 2014 at 1:30 PM, Kim Shepherd <kim.sheph...@gmail.com>
> wrote:
>
>> Hi Peter, we use IPAUTH (in addition to Shibboleth special groups) so
>> that our on-campus users can access restricted resources without logging
>> in, too..
>> I haven't noticed this particular issue -- Discovery has appeared to be
>> working from what I've seen but I've mostly been testing access to the
>> items/bitstreams themselves, so I'll take a look at our logs, too.
>> From my quick testing so far it's looking like I can reproduce the issue
>> you're talking about -- as an Anonymous user with only IPAUTH granting me
>> an extra special group, I can access all the resources I need to, but
>> Discovery is ignoring my special group and hiding recent submissions /
>> search results from me.
>>
>> The assumption that (currentUser == null) always means "Anonymous only"
>> is definitely an assumption that's going to break special groups like
>> IPAUTH.. so I think you're onto something there. Which classes are you
>> looking at?
>>
>> Cheers
>>
>> Kim
>>
>> On 5 September 2014 07:04, Peter Dietz <pe...@longsight.com> wrote:
>>
>>> Hi All,
>>>
>>> I was wondering if anyone is using the IPAuthentication mechanism, where
>>> you can have anonymous users who happen to be on a certain IP address range
>>> (i.e. campus / regional campus), and should be able to view that restricted
>>> content without having to log in.
>>>
>>> However, I'm having some issues, as I don't think that Discovery is
>>> actually checking the current user (anonymous user that could have "special
>>> groups"). I've noticed some difference in behavior when I'm visiting the
>>> site as anonymous user (not logged in), and also while logged in as a user
>>> who has no credentials (member of anonymous group though).
>>> i.e. some of the authentication / context logic goes
>>> if(currentUser != null) {...
>>>
>>> I've checked that Discovery has indexed the content correctly, which
>>> appears to be correct. i.e. ?q=handle:123456789/3456
>>> And that item has read:"g7"
>>>
>>> My config/modules/authentication-ip.cfg has something like:
>>> (Production it is different values).
>>>
>>> ip.CAMPUS = 127.0.0.1
>>>
>>> And group CAMPUS, groupID: 7.
>>>
>>>
>>> 2014-09-04 14:50:17,145 DEBUG org.dspace.authenticate.IPMatcher @ ipIn:
>>> 127.0.0.1
>>>
>>> 2014-09-04 14:50:17,145 DEBUG org.dspace.authenticate.IPAuthentication @
>>> anonymous:session_id=23AB7F7C2C8DA06BE556148B855E1D01:authenticated:special_groups=7
>>>
>>> 2014-09-04 14:50:17,146 DEBUG org.dspace.app.xmlui.utils.ContextUtil @
>>> Adding Special Group id=7
>>>
>>>
>>> When Discovery makes the check, I appears to have discarded the special
>>> group, and the query (I've added some debug)
>>>
>>> 2014-09-04 14:50:17,282 DEBUG
>>> org.dspace.discovery.SolrServiceResourceRestrictionPlugin @ ResourceQuery:
>>> read:(g0)
>>>
>>> Where g0 is anonymous group. It should have been "g0 OR g7".
>>>
>>>
>>> So, if anyone has run across this issue, or would like to look into it,
>>> please let me know.
>>>
>>> ________________
>>> Peter Dietz
>>> Longsight
>>> www.longsight.com
>>> pe...@longsight.com
>>> p: 740-599-5005 x809
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Slashdot TV.
>>> Video for Nerds. Stuff that matters.
>>> http://tv.slashdot.org/
>>> _______________________________________________
>>> DSpace-tech mailing list
>>> DSpace-tech@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>>> List Etiquette:
>>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Slashdot TV.
>> Video for Nerds. Stuff that matters.
>> http://tv.slashdot.org/
>> _______________________________________________
>> DSpace-tech mailing list
>> DSpace-tech@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>> List Etiquette:
>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>
>
>
>
> --
> [image: @mire Inc.]
> *Mark Diggory*
> *2888 Loker Avenue East, Suite 315, Carlsbad, CA. 92010*
> *Esperantolaan 4, Heverlee 3001, Belgium*
> http://www.atmire.com
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
> List Etiquette:
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
