Title: Message Title
|
|
|
|
|
|
How to reproduce:
1) Create a Collection where DEFAULT_READ access is limited to a non-Anonymous group (e.g. Administrators or similar)
2) Submit an Item to that Collection
3) Run "./dspace oai import"
The Result:
* The Item will be access restricted from the UI (XMLUI or JSPUI), and will not be accessible to Anonymous Users
* HOWEVER, the Item's metadata will be available from OAI-PMH . anonymously
Essentially, it seems like OAI-PMH should be verifying that is has each Item has Anonymous READ permissions before it indexes any Items the Item . Instead, by default OAI-PMH just indexes *everything* where "in_archive=TRUE" and "discoverable=TRUE":
https://github.com/DSpace/DSpace/blob/master/dspace-oai/src/main/java/org/dspace/xoai/app/XOAI.java#L203
NOTE: In this scenario, "discoverable=TRUE" as these Items were not marked fully "private". Instead, they are being access controlled by Resource Policies. So the issue here is that OAI-PMH is not checking the Resource Policies.
In all honesty, this could also be considered the fault of "Item.getMetadata()" which fails to validate Item READ access before returning all metadata values (as OAI-PMH calls getMetadata() to perform its indexing):
https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/content/Item.java#L521
|
|
|
|
|
|
|
|
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel
