Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4168

Performing metadataschema or metadatafield PUT requests as an unprivileged user results in a 404 instead of a 403

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 7.0
    • Fix Version/s: 7.0
    • Component/s: REST API v7
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      0
    • Documentation Status:
      Not Required

      Description

      Reported in the code review process of this PR: https://github.com/DSpace/DSpace/pull/2291#pullrequestreview-202680789 

      As noted in those comments, if you perform a PUT request to "metadatafield" or "metadataschema" as an unprivileged user (an EPerson without correct permissions), a 404 response is returned. 

      The expectation is a 403 Forbidden response should be returned.

      You can test with the Atmire's database - https://www.dropbox.com/s/ovqp394y3vofnwa/entities7-test-db.sql.gz?dl=1
      And with a user that doesn't have any record on epersongroup2eperson, like atmirenv+write5a@g****.com.

      Trying this PUT http://localhost/spring-rest/api/core/metadataschemas/1
      `{"id":1,"prefix":"dc","namespace":"http://dublincore.org/documents/dcmi-terms/"}`

      I've got an 404 error, please check out my apache log:

      `SERVER - - [11/Feb/2019:15:14:37 +0000] "PUT /spring-rest/api/core/metadataschemas/1 HTTP/1.1" 404 949 "http://localhost/admin/registries/metadata/eperson?pageId=registry-metadatafields-pagination&page=1&pageSize=25&sortDirection=ASC&sortField=id" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"`

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            paulo_graca Paulo Graça
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: