[
https://jira.duraspace.org/browse/DS-927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20718#action_20718
]
Mark H. Wood commented on DS-927:
---------------------------------
We need to address the fragmentation of access control in DSpace once and for
all. We have this problem over and over again, and and it will continue to
arise so long as all the various UIs and machine/machine interfaces have
responsibility for access control. [rant] The safest place for access control
decisions is in the object whose access is to be controlled. [end rant]
However it seems to me that the immediate problem here is that a request for
item should return only a unique token for the submitter's eperson, not his
complete identity. An application wanting to know more about the submitter
should then ask for the eperson object. That request can be granted or denied
as required by policy, without complicating the item code.
> REST-API All item submitter information is returned for an item request, even
> for an anonymous request.
> -------------------------------------------------------------------------------------------------------
>
> Key: DS-927
> URL: https://jira.duraspace.org/browse/DS-927
> Project: DSpace
> Issue Type: Bug
> Components: REST API (experimental)
> Reporter: Robin Taylor
>
> If I enter a request for a specific item eg.
> http://localhost:8080/rest/items/58.xml the response includes all the ePerson
> information for the person that submitted the request. This info is not
> visible in the UI and I suspect should not be exposed here, at least not to a
> non-administrator.
> <submitter type="bean" size="12">
> <email>[email protected]</email>
> <firstName>Robin</firstName>
> <fullName>Robin Taylor</fullName>
> <handle/>
> <id type="number">1</id>
> <language>en</language>
> <lastName>Taylor</lastName>
> <name>[email protected]</name>
> <netId/>
> <requireCertificate type="boolean">false</requireCertificate>
> <selfRegistered type="boolean">false</selfRegistered>
> <type type="number">7</type>
> </submitter>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
