Hi, we are using DSpace 7.0-SNAPSHOT. For our use case, we definitely need to rely on DSpace for authorization, as we will have many clients and we cannot fully trust them.
I find it too a bit misleading that documentation is not mentioning anything about authorization. GET /items endpoint is doing filtering, while POST /find-by-metadata-field is not If we look at the current master branch (links are valid for the latest commit: a588d42 <https://github.com/DSpace/DSpace/commit/a588d42f5a2a15b81908a5534a28f0d947edd033> at the writing of this mail): https://github.com/DSpace/DSpace/blob/master/dspace-rest/src/main/java/org/dspace/rest/ItemsResource.java#L207 first endpoint is checking the authorization: https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java#L1187 while the other one (any several others) are not: https://github.com/DSpace/DSpace/blob/master/dspace-rest/src/main/java/org/dspace/rest/ItemsResource.java#L1049 If someone from community confirms this is a bug, I could submit a patch (as solving this is critical for us to continue using DSpace). Best regards, Vladisav On Fri, Jun 16, 2017 at 10:43 AM, Benedikt Kroll < [email protected]> wrote: > Hi, > > that's interesting for us as well - our institution uses DSpace mainly as > a data provider via REST. > > Until now, the documentation at https://wiki.duraspace.org/ > display/DSDOC6x/REST+API#RESTAPI-Items does not mention anything about > different respect for user authorization rules. > > Is it generally safe to rely on the REST API to perform correct filtering > according to user authorization? Otherwise, we would need to consider a > double-checking of an item's status on the REST client side, possibly by > inserting a "public" indicator into the item's metadata. > > @Vladisav: What version of DSpace are you using? > > Thanks! > > vladisav <[email protected]> hat am 14. Juni 2017 um 01:26 geschrieben: > > Hi, > > it seems that there is a security hole with POST > /items/find-by-metadata-field endpoint in DSpace REST API. > When retrieving items, all items are returned, disregarding the > authorization of the user. > > If we inspect other endpoints, e.g. GET /items endpoint, item list is > filtered according to authorization > (by calling itemService.isItemListedForUser(context, dspaceItem) ) > > Is this a bug or by design? > > Best regards, > Vladisav > > > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > > > > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
