Hi Paul, Unfortunately, that's something we're aware of. It's made it into several tickets: https://jira.duraspace.org/browse/DS-304 (XMLUI METS generator ignores authorization) https://jira.duraspace.org/browse/DS-1922 (Metadata of withdrawn items is accessible -- if you know the URL) https://jira.duraspace.org/browse/DS-1258 (Restrict access to mets.xml)
As you'll see in the discussions of those tickets, we've tried to come up with some decent solutions, but have yet to find a way to actually fix this. The details in the "mets.xml" are required by the theming engine of the XMLUI, but likely should be somehow restricted only to that theming engine (perhaps only accessible on localhost?). If you or anyone else on this list has ideas on how to resolve this once and for all, it'd be welcome. It simply hasn't received enough detailed thought/digging to figure out a way to solve. Unfortunately, I'm not sure any of the core developers (Committers) will get back to this anytime soon as most of their efforts are currently on the upcoming DSpace 7.x release. - Tim On Fri, Nov 2, 2018 at 3:04 AM Paul Münch <[email protected]> wrote: > Hello, > > I like to share an issue which bother me a little bit. We use DSpace 6.3 > with XMLUI. It is possible to see metadata and bitstream information of > restricted items, if someone knows the handle ( e.g. crawl all handles > of the repository ) and uses this URL: > [dspace-url]/metadata/handle/.../mets.xml ( or ./ore.xml ). The > bitstreams are not downloadable but everybody could look into restricted > information. > > Are you aware of this or have you some workarounds? > > Kind regards, > > Paul Münch > > -- > Philipps-Universität Marburg | UB > Digitale Dienste | Deutschhausstraße 9 | D018 > Tel. +49 06421 28-24624 <+49%206421%202824624> > -- > > > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
