[Dspace-devel] [DSJ] Updated: (DS-304) XMLUI's METS generator ignores authorization

Wed, 21 Oct 2009 13:33:56 -0700 

     [ 
http://jira.dspace.org/jira/browse/DS-304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stuart Lewis updated DS-304:
----------------------------

    Fix Version/s:     (was: 1.6.0)

> XMLUI's METS generator ignores authorization
> --------------------------------------------
>
>                 Key: DS-304
>                 URL: http://jira.dspace.org/jira/browse/DS-304
>             Project: DSpace 1.x
>          Issue Type: Bug
>          Components: XMLUI
>    Affects Versions: 1.5.0, 1.5.1, 1.5.2
>            Reporter: Kim Shepherd
>            Priority: Minor
>
> (apologies if this is a duplicate, I couldn't find any related issues, though 
> I know the OAI interface has been under similar scrunity)
> By default, XMLUI will generate and send METS metadata for a DSO if the URL 
> pattern matches: metadata/handle/*/*/**
> Item/collection/community authorisations are not checked by 
> DSpaceMETSGenerator first, which means that items with no anonymous READ 
> access, items with [Harvard/MIT-style] embargos applied, etc. are still 
> ultimately exposing metadata to users and machines who know who to take 
> advantage of this bug.
> I am not sure whether this should be handled by patching DSpaceMETSGenerator 
> or disabling the pattern match in sitemap.xmap by default and documenting its 
> behaviour thoroughly, so admins can enable it once they are sure they are 
> happy with unrestricted metadata access.
> I can't promise these URLs will remain live/relevant forever, but you can 
> quickly replicate this bug by viewing:
> http://www.anonymous.org.nz:8180/handle/123456789/23
> http://www.anonymous.org.nz:8180/metadata/handle/123456789/23/mets.xml
> Any comments/suggestions?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to