Hi Vladisav, Please note that DSpace 7.0 is still under active development and that some REST API endpoints might change. So expect some rough edges here and there.
Best regards, Tom [image: logo] Tom Desair 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 Gaston Geenslaan 14, Leuven 3001, Belgium www.atmire.com <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> 2017-06-16 11:42 GMT+02:00 Vladisav Jelisavcic <[email protected]>: > Thanks! > > Best regards, > Vladisav > > On Fri, Jun 16, 2017 at 11:26 AM, Tom Desair <[email protected]> > wrote: > >> Hi Vladisav, >> >> We will investigate this issue. >> >> Best regards, >> Tom >> >> >> >> [image: logo] Tom Desair >> 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 >> Gaston Geenslaan 14, Leuven 3001, Belgium >> www.atmire.com >> <http://atmire.com/website/?q=services&utm_source=emailfooter&utm_medium=email&utm_campaign=tomdesair> >> >> 2017-06-16 10:43 GMT+02:00 Benedikt Kroll <benedikt.kroll@der-arbeitende >> .de>: >> >>> Hi, >>> >>> that's interesting for us as well - our institution uses DSpace mainly >>> as a data provider via REST. >>> >>> Until now, the documentation at https://wiki.duraspace.org/dis >>> play/DSDOC6x/REST+API#RESTAPI-Items does not mention anything about >>> different respect for user authorization rules. >>> >>> Is it generally safe to rely on the REST API to perform correct >>> filtering according to user authorization? Otherwise, we would need to >>> consider a double-checking of an item's status on the REST client side, >>> possibly by inserting a "public" indicator into the item's metadata. >>> >>> @Vladisav: What version of DSpace are you using? >>> >>> Thanks! >>> >>> vladisav <[email protected]> hat am 14. Juni 2017 um 01:26 >>> geschrieben: >>> >>> >>> Hi, >>> >>> it seems that there is a security hole with POST >>> /items/find-by-metadata-field endpoint in DSpace REST API. >>> When retrieving items, all items are returned, disregarding the >>> authorization of the user. >>> >>> If we inspect other endpoints, e.g. GET /items endpoint, item list is >>> filtered according to authorization >>> (by calling itemService.isItemListedForUser(context, dspaceItem) ) >>> >>> Is this a bug or by design? >>> >>> Best regards, >>> Vladisav >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "DSpace Technical Support" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/dspace-tech. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "DSpace Technical Support" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/dspace-tech. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
