Hello Samuele, many thanks for your answers.
Le 2 déc. 2013 à 14:39, Samuele Kaplun <[email protected]> a écrit : > Hi Johnny, > > In data lunedì 2 dicembre 2013 14:29:05, Johnny Mariéthoz ha scritto: >> I have already some restricted documents using the special FFT tag $r as: >> status:INTERNAL >> for example. >> >> In my case INTERNAL is restricted by the remote ip adresses. >> >> Now, I want to use embargo by using a firerole such as: >> >> firerole: >> allow from "2014-01-01" >> allow any >> >> Is it possible to use both? For example, the file can be accessed anytime by >> all "INTERNAL" users et the others should wait until the embargo date. > > Yes, you can simply combine the lines: > > allow from "2014-01-01" > allow remote_ip "192.168.0.1" > deny any > > (be carefuly, you had allow any in your example. That would match any user). I don't think that this do the job. It looks theses rules prevent any access (except for the admin) until the 2014-01-01 and allow access to it only to 192.168.0.1 after this date. In my case I want to allow 192.168.0.1 to access to this file at any date and to all after the 2014-01-01. > >> I do not want to specify the IPs directly in the firerole as they can change >> over the time. > > Can't you maybe use IP ranges? e.g. > > allow remote_ip "192.168.0.1/24" Yes, but sometimes I received new ip range, and in this case I have to set the permission to all files which does not sounds good. > >> Can I use the "group" field? How? > > Mmh.. group is really like referring to users. > >> Do I have to create an >> external "fake" authentication method to provide a corresponding group? > > That's sound slightly overcomplicating... Do you already happen to have your > system based on an external authentication method? Because then you can > extend > its fetch_user_preferences() method and return a key to say whether the user > is internal or external (based on a configurable list of IPs) and reuse that > key inside firerole... > > E.g. say that fetch_user_preferences() returned a dictionary with a key > "external" set to 1 or 0 (that's actually what we do in the CERN Document > Server: see external_authentication_sso.py, the method > __fetch_particular_preferences().) You will then be able to use in firerole a > rule such as: > > deny external_external "1" > > (the "external_" prefix is automatically added to any key returned by > "fetch_user_preferences()"). Hmm, I'm not sure that is the right approach as usually the user is not logged in. Can I add user_preferences to the guest account based on the remote_ip? My problem is the following: I have several institutions in RERO DOC. For each I have a list of IP ranges. I already use this for the restriction (the "status" flag). Can I use this configuration in the firerole rules, as I want to "centralize" the ip configuration. Many thanks in advance, Cheers, > > Cheers, > Sam > > -- > Samuele Kaplun > Invenio Developer ** <http://invenio-software.org/> > INSPIRE Service Manager ** <http://inspirehep.net/>
