Hi, it seems that there is a security hole with POST /items/find-by-metadata-field endpoint in DSpace REST API. When retrieving items, all items are returned, disregarding the authorization of the user.
If we inspect other endpoints, e.g. GET /items endpoint, item list is filtered according to authorization (by calling itemService.isItemListedForUser(context, dspaceItem) ) Is this a bug or by design? Best regards, Vladisav -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
