[Dspace-devel] [DSpace-JIRA] Created: (DS-304) XMLUI's METS generator ignores authorization

Thu, 10 Sep 2009 15:05:58 -0700 

XMLUI's METS generator ignores authorization
--------------------------------------------

                 Key: DS-304
                 URL: http://jira.dspace.org/jira/browse/DS-304
             Project: DSpace 1.x
          Issue Type: Bug
          Components: XMLUI
    Affects Versions: 1.5.2, 1.5.1, 1.5.0
            Reporter: Kim Shepherd
             Fix For: 1.6.0


(apologies if this is a duplicate, I couldn't find any related issues, though I 
know the OAI interface has been under similar scrunity)

By default, XMLUI will generate and send METS metadata for a DSO if the URL 
pattern matches: metadata/handle/*/*/**

Item/collection/community authorisations are not checked by DSpaceMETSGenerator 
first, which means that items with no anonymous READ access, items with 
[Harvard/MIT-style] embargos applied, etc. are still ultimately exposing 
metadata to users and machines who know who to take advantage of this bug.

I am not sure whether this should be handled by patching DSpaceMETSGenerator or 
disabling the pattern match in sitemap.xmap by default and documenting its 
behaviour thoroughly, so admins can enable it once they are sure they are happy 
with unrestricted metadata access.

I can't promise these URLs will remain live/relevant forever, but you can 
quickly replicate this bug by viewing:

http://www.anonymous.org.nz:8180/handle/123456789/23
http://www.anonymous.org.nz:8180/metadata/handle/123456789/23/mets.xml

Any comments/suggestions?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to