[
http://jira.dspace.org/jira/browse/DS-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10507#action_10507
]
Kim Shepherd commented on DS-161:
---------------------------------
There are some authorisation/permissions issues we might need to work out
here...
org.dspace.app.bulkedit.MetadataExport works well with the "restrict metadata
from display" feature recently added for 1.6, but does not check to see whether:
- The user is logged in
- The user has READ permissions on items that are to be written to the CSV
- The item is withdrawn / in archive
The issue is a subtle one, because the CLI app is generally run as an
administrator anyway, and the context menu buttons/links provided in JSPUI (and
soon to be XMLUI) aren't available to anonymous or non-admin users, but there
is nothing stopping an anonymous user POSTing a collectionID to
MetadataExportServlet (in the case of JSPUI) or visiting
[baseurl]/csv/handle/123456789/123 (in the case of XMLUI).
I think the solution is to pass context through to MetadataExport and check
authorisation as items are being written to the CSV. In the case of a user
requesting a single item they don't have permission to READ, or requesting a
collection/community they don't have permission to READ, an
AuthorizationException should be thrown. In the case of a collection/community
where some items are restricted/withdrawn/etc and some are not, the restricted
items should be skipped (and logged?) and the remaining items should be written
to the CSV.
This should make security in each UI consistent and easy when providing the
servlet/aspect... just catch exceptions and log skipped items (loathe to
display skipped items in the UI as their handles/existence probably shouldn't
even be known to the user if they've been skipped here)
Any thoughts?
-k.
> Bulk Metadata Editing
> ---------------------
>
> Key: DS-161
> URL: http://jira.dspace.org/jira/browse/DS-161
> Project: DSpace 1.x
> Issue Type: New Feature
> Affects Versions: 1.5.0, 1.5.1, 1.5.2
> Reporter: Charles Kiplagat
> Assignee: Stuart Lewis
> Fix For: 1.6.0
>
> Attachments: [DS-161]_Bulk_metadata_editing.patch, bulkedit.zip,
> export-search-results-jspui.patch
>
>
> Voted as number three top most wanted features in DSpace 1.6. This JIRA issue
> will be used as a holding place for this feature, and potential code that
> could be adopted as a solution. See:
> http://wiki.dspace.org/index.php/Batch_Metadata_Editing_Feature
> First version of this patch uploaded. Instructions at:
> http://wiki.dspace.org/index.php/Batch_Metadata_Editing_Prototype
> This code will work with DSpace 1.5.2 (and possibly earlier 1.5.x versions).
> Please try the code (on test systems) and comment.
> ---
> Use cases included name and subject authority control, adding a new piece of
> metadata to all the items in a collection at once. One manager wanted to
> allow student assistants to bulk-edit metadata. Suggestion: export/import of
> a collection's metadata only, for batch editing. bulk metadata editing
> through a web UI
> http://wiki.dspace.org/index.php/Community_Requirements_Gathering_Chat,_Week_1,_20_August_2008
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
