Hey Peter,
I believe you are correct, the following method needs to have special
groups added into listing
https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/discovery/SolrServiceResourceRestrictionPlugin.java#L61
I will note this is an error does not introduce any security flaw because
its only excluding results that the user IP should have been able to see.
The correction is to get the special groups off the Context and add them to
the query in the above method.
Cheers,
Mark
On Thu, Sep 4, 2014 at 1:30 PM, Kim Shepherd <[email protected]> wrote:
> Hi Peter, we use IPAUTH (in addition to Shibboleth special groups) so that
> our on-campus users can access restricted resources without logging in,
> too..
> I haven't noticed this particular issue -- Discovery has appeared to be
> working from what I've seen but I've mostly been testing access to the
> items/bitstreams themselves, so I'll take a look at our logs, too.
> From my quick testing so far it's looking like I can reproduce the issue
> you're talking about -- as an Anonymous user with only IPAUTH granting me
> an extra special group, I can access all the resources I need to, but
> Discovery is ignoring my special group and hiding recent submissions /
> search results from me.
>
> The assumption that (currentUser == null) always means "Anonymous only" is
> definitely an assumption that's going to break special groups like IPAUTH..
> so I think you're onto something there. Which classes are you looking at?
>
> Cheers
>
> Kim
>
> On 5 September 2014 07:04, Peter Dietz <[email protected]> wrote:
>
>> Hi All,
>>
>> I was wondering if anyone is using the IPAuthentication mechanism, where
>> you can have anonymous users who happen to be on a certain IP address range
>> (i.e. campus / regional campus), and should be able to view that restricted
>> content without having to log in.
>>
>> However, I'm having some issues, as I don't think that Discovery is
>> actually checking the current user (anonymous user that could have "special
>> groups"). I've noticed some difference in behavior when I'm visiting the
>> site as anonymous user (not logged in), and also while logged in as a user
>> who has no credentials (member of anonymous group though).
>> i.e. some of the authentication / context logic goes
>> if(currentUser != null) {...
>>
>> I've checked that Discovery has indexed the content correctly, which
>> appears to be correct. i.e. ?q=handle:123456789/3456
>> And that item has read:"g7"
>>
>> My config/modules/authentication-ip.cfg has something like:
>> (Production it is different values).
>>
>> ip.CAMPUS = 127.0.0.1
>>
>> And group CAMPUS, groupID: 7.
>>
>>
>> 2014-09-04 14:50:17,145 DEBUG org.dspace.authenticate.IPMatcher @ ipIn:
>> 127.0.0.1
>>
>> 2014-09-04 14:50:17,145 DEBUG org.dspace.authenticate.IPAuthentication @
>> anonymous:session_id=23AB7F7C2C8DA06BE556148B855E1D01:authenticated:special_groups=7
>>
>> 2014-09-04 14:50:17,146 DEBUG org.dspace.app.xmlui.utils.ContextUtil @
>> Adding Special Group id=7
>>
>>
>> When Discovery makes the check, I appears to have discarded the special
>> group, and the query (I've added some debug)
>>
>> 2014-09-04 14:50:17,282 DEBUG
>> org.dspace.discovery.SolrServiceResourceRestrictionPlugin @ ResourceQuery:
>> read:(g0)
>>
>> Where g0 is anonymous group. It should have been "g0 OR g7".
>>
>>
>> So, if anyone has run across this issue, or would like to look into it,
>> please let me know.
>>
>> ________________
>> Peter Dietz
>> Longsight
>> www.longsight.com
>> [email protected]
>> p: 740-599-5005 x809
>>
>>
>> ------------------------------------------------------------------------------
>> Slashdot TV.
>> Video for Nerds. Stuff that matters.
>> http://tv.slashdot.org/
>> _______________________________________________
>> DSpace-tech mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>> List Etiquette:
>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> DSpace-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
> List Etiquette:
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
--
[image: @mire Inc.]
*Mark Diggory*
*2888 Loker Avenue East, Suite 315, Carlsbad, CA. 92010*
*Esperantolaan 4, Heverlee 3001, Belgium*
http://www.atmire.com
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
