Mike, Thanks for your input. I haven't had any other responses yet so I'm assuming this is not something that has happened allot. I tried what you suggested and it does work! (ctrl refresh brings up correct status of page) but my concern is that unprivileged users accessing the item form the outside will in certain cases get access to restricted content and see themselves logged in as a privileged user...
Thanks again for your input, Nigel -----Original Message----- From: Michael White [mailto:[EMAIL PROTECTED] Sent: Monday, May 26, 2008 9:47 AM To: Nigel Pegus Cc: [email protected] Subject: Re: Unplanned user access Hi Nigel, You wrote: > While experimenting with groups and restricting user access to various > collections I noted that it is possible to log out the system then > attempt to access an item in a collection which is not normally publicly > accessible. The system will indicated that the user that created the > item is logged in one instance and in another similar experiment a user > who was made part of a group with the required access rights will then > appear as logged on thus allowing the unprivileged user access to the item. > > Has anyone encountered this before?? Not sure if you got a response to this as I've been off for a while so doing a very high speed trawl through a couple of weeks worth of various mailing lists . . . Anyway, this may or may not be related, but one thing that still catches me out occasionally is the caching of DSpace pages - we have an embargo feature implemented that only allows admins access to embargoed items. If I log on as Admin, access a restricted item's "Simple Metadata" page (from where I can open the item), log out, then revisit the item display page I find that is says that I'm still logged on (my email address shows in the top left even though I've logged out and the link to the item is still displayed) - however, this is just a cached version of the page, and if I attempt to open the item, I get (correctly) taken to our "You can't access this item but you can request it from the original depositor" page . . . Whenever I encounter something like this (appearing to be logged on when I don't think I am, or vice versa), I use Ctrl-refresh (hold down the Ctrl key whilst clicking the browser refresh) and that forces the page to completely reload (rather than using the cached version). As I say, may not be related to what you're experiencing, but thought I'd mention it just in case :-) Regards, Mike Michael White eLearning Developer Centre for eLearning Development (CeLD) S7, The Library University of Stirling Stirling SCOTLAND FK9 4LA Email: [EMAIL PROTECTED] Tel: +44 (0) 1786 466877 Fax: +44 (0) 1786 466880 http://www.is.stir.ac.uk/celd/ <http://www.is.stir.ac.uk/celd/> -- The University of Stirling (a charity registered in Scotland, number SC 011159) is a university established in Scotland by charter at Stirling, FK9 4LA. Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not disclose, copy or deliver this message to anyone and any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
