Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4278

Submitters can edit all metadata

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 7.0
    • Fix Version/s: None
    • Component/s: REST API v7
    • Labels:
    • Attachments:
      0
    • Comments:
      0
    • Documentation Status:
      Needed

      Description

      With the new DSpace 7 REST API, a submitter is no longer restricted to editing metadata fields from the submission forms, if they use the /api/core/items endpoint.

      It's easy to modify any metadata field, e.g. using:
      ```
      curl -D - -X PATCH 'http://localhost:8080/rest/api/core/items/517f13ab-3105-42d3-bf55-271876fb726e' -H "Authorization: $authorization" -H "content-type: application/json" --data '[ { "op": "add", "path": "/metadata/dc.description.provenance", "value": [

      { "value": "Some provenance" }

      ] } ]'
      ```

      This is accessible because the user has WRITE permissions on the item
      The same action can be performed by workflow members for their tasks

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              benbosman Ben Bosman
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: