Hi Paul,
Unfortunately, that's something we're aware of. It's made it into several
tickets:
https://jira.duraspace.org/browse/DS-304 (XMLUI METS generator ignores
authorization)
https://jira.duraspace.org/browse/DS-1922 (Metadata of withdrawn items is
accessible -- if you know the URL)
https://jira.duraspace.org/browse/DS-1258 (Restrict access to mets.xml)
As you'll see in the discussions of those tickets, we've tried to come up
with some decent solutions, but have yet to find a way to actually fix
this. The details in the "mets.xml" are required by the theming engine of
the XMLUI, but likely should be somehow restricted only to that theming
engine (perhaps only accessible on localhost?).
If you or anyone else on this list has ideas on how to resolve this once
and for all, it'd be welcome. It simply hasn't received enough detailed
thought/digging to figure out a way to solve. Unfortunately, I'm not sure
any of the core developers (Committers) will get back to this anytime soon
as most of their efforts are currently on the upcoming DSpace 7.x release.
- Tim
On Fri, Nov 2, 2018 at 3:04 AM Paul Münch
wrote:
> Hello,
>
> I like to share an issue which bother me a little bit. We use DSpace 6.3
> with XMLUI. It is possible to see metadata and bitstream information of
> restricted items, if someone knows the handle ( e.g. crawl all handles
> of the repository ) and uses this URL:
> [dspace-url]/metadata/handle/.../mets.xml ( or ./ore.xml ). The
> bitstreams are not downloadable but everybody could look into restricted
> information.
>
> Are you aware of this or have you some workarounds?
>
> Kind regards,
>
> Paul Münch
>
> --
> Philipps-Universität Marburg | UB
> Digitale Dienste | Deutschhausstraße 9 | D018
> Tel. +49 06421 28-24624 <+49%206421%202824624>
> --
>
>
> --
> All messages to this mailing list should adhere to the DuraSpace Code of
> Conduct: https://duraspace.org/about/policies/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To post to this group, send email to dspace-tech@googlegroups.com.
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
All messages to this mailing list should adhere to the DuraSpace Code of
Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
