[
https://jira.duraspace.org/browse/DS-927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20696#action_20696
]
Bojan Suzic commented on DS-927:
--------------------------------
Yes, there are also some other related issues.
Initial idea with the REST API was to expose and make available/accessible as
much as possible of data and functions.
However, some methods in DSpace API do not pass through regular authorization
checks.
I think we should not limit domain of methods/data exposed to be comparable to
ones available via regular UI, as the purpose of REST is not to be/serve
another UI frontend but to make a room/infrastructure for other, wider
applications. Therefore, some approach for treating such "border" issues should
be agreed.
At the first I was thinking about configuration options to limit the whole
portions of REST API. For instance, some users do not need nor want
PUT/POST/DELETE functionality at all. Some other may want to limit it on LAN
only.
Additionally, some other wouldn't like to make all the data (like EPerson)
generally available. I am not only sure whether additional authorization checks
should be further implemented/pushed to DSpace API level or should we consider
it more like REST API issue?
> REST-API All item submitter information is returned for an item request, even
> for an anonymous request.
> -------------------------------------------------------------------------------------------------------
>
> Key: DS-927
> URL: https://jira.duraspace.org/browse/DS-927
> Project: DSpace
> Issue Type: Bug
> Components: REST API (experimental)
> Reporter: Robin Taylor
>
> If I enter a request for a specific item eg.
> http://localhost:8080/rest/items/58.xml the response includes all the ePerson
> information for the person that submitted the request. This info is not
> visible in the UI and I suspect should not be exposed here, at least not to a
> non-administrator.
> <submitter type="bean" size="12">
> <email>[email protected]</email>
> <firstName>Robin</firstName>
> <fullName>Robin Taylor</fullName>
> <handle/>
> <id type="number">1</id>
> <language>en</language>
> <lastName>Taylor</lastName>
> <name>[email protected]</name>
> <netId/>
> <requireCertificate type="boolean">false</requireCertificate>
> <selfRegistered type="boolean">false</selfRegistered>
> <type type="number">7</type>
> </submitter>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
