Hi Johnny,
In data lunedì 2 dicembre 2013 14:29:05, Johnny Mariéthoz ha scritto:
> I have already some restricted documents using the special FFT tag $r as:
> status:INTERNAL
> for example.
>
> In my case INTERNAL is restricted by the remote ip adresses.
>
> Now, I want to use embargo by using a firerole such as:
>
> firerole:
> allow from "2014-01-01"
> allow any
>
> Is it possible to use both? For example, the file can be accessed anytime by
> all "INTERNAL" users et the others should wait until the embargo date.
Yes, you can simply combine the lines:
allow from "2014-01-01"
allow remote_ip "192.168.0.1"
deny any
(be carefuly, you had allow any in your example. That would match any user).
> I do not want to specify the IPs directly in the firerole as they can change
> over the time.
Can't you maybe use IP ranges? e.g.
allow remote_ip "192.168.0.1/24"
> Can I use the "group" field? How?
Mmh.. group is really like referring to users.
> Do I have to create an
> external "fake" authentication method to provide a corresponding group?
That's sound slightly overcomplicating... Do you already happen to have your
system based on an external authentication method? Because then you can extend
its fetch_user_preferences() method and return a key to say whether the user
is internal or external (based on a configurable list of IPs) and reuse that
key inside firerole...
E.g. say that fetch_user_preferences() returned a dictionary with a key
"external" set to 1 or 0 (that's actually what we do in the CERN Document
Server: see external_authentication_sso.py, the method
__fetch_particular_preferences().) You will then be able to use in firerole a
rule such as:
deny external_external "1"
(the "external_" prefix is automatically added to any key returned by
"fetch_user_preferences()").
Cheers,
Sam
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
INSPIRE Service Manager ** <http://inspirehep.net/>
