Is this also related to anonymous read access of metadata via OAI and 3rd party tools such as SRW/SRU?
We have a 3rd party extension that uses OAI to retrieve DSpace records but even if one removes all authorization to a repository item, the record's metadata is still viewable via OAI and searchable via our SRW/SRU implementation. Cheers Hayden Stuart Lewis (JIRA) wrote: > [ > http://jira.dspace.org/jira/browse/DS-304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel > ] > > Stuart Lewis updated DS-304: > ---------------------------- > > Fix Version/s: (was: 1.6.0) > > >> XMLUI's METS generator ignores authorization >> -------------------------------------------- >> >> Key: DS-304 >> URL: http://jira.dspace.org/jira/browse/DS-304 >> Project: DSpace 1.x >> Issue Type: Bug >> Components: XMLUI >> Affects Versions: 1.5.0, 1.5.1, 1.5.2 >> Reporter: Kim Shepherd >> Priority: Minor >> >> (apologies if this is a duplicate, I couldn't find any related issues, >> though I know the OAI interface has been under similar scrunity) >> By default, XMLUI will generate and send METS metadata for a DSO if the URL >> pattern matches: metadata/handle/*/*/** >> Item/collection/community authorisations are not checked by >> DSpaceMETSGenerator first, which means that items with no anonymous READ >> access, items with [Harvard/MIT-style] embargos applied, etc. are still >> ultimately exposing metadata to users and machines who know who to take >> advantage of this bug. >> I am not sure whether this should be handled by patching DSpaceMETSGenerator >> or disabling the pattern match in sitemap.xmap by default and documenting >> its behaviour thoroughly, so admins can enable it once they are sure they >> are happy with unrestricted metadata access. >> I can't promise these URLs will remain live/relevant forever, but you can >> quickly replicate this bug by viewing: >> http://www.anonymous.org.nz:8180/handle/123456789/23 >> http://www.anonymous.org.nz:8180/metadata/handle/123456789/23/mets.xml >> Any comments/suggestions? >> > > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Dspace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-devel
