How to reproduce:
1) Create a Collection where DEFAULT_READ access is limited to a non-Anonymous group (e.g. Administrators or similar)
2) Submit an Item to that Collection
3) Run "./dspace oai import"
- The Item will be access restricted from the UI (XMLUI or JSPUI), and will not be accessible to Anonymous Users
- HOWEVER, the Item's metadata will be available from OAI-PMH anonymously
Essentially, it seems like OAI-PMH should be verifying each Item has Anonymous READ permissions before it indexes the Item. Instead, by default OAI-PMH just indexes everything where "in_archive=TRUE" and "discoverable=TRUE":
NOTE: In this scenario, "discoverable=TRUE" as these Items were not marked fully "private". Instead, they are being access controlled by Resource Policies. So the issue here is that OAI-PMH is not checking the Resource Policies.
In all honesty, this could also be considered the fault of "Item.getMetadata()" which fails to validate Item READ access before returning all metadata values (as OAI-PMH calls getMetadata() to perform its indexing):