Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4278

Submitters can edit all metadata

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 7.0
    • Fix Version/s: None
    • Component/s: REST API v7
    • Labels:
    • Attachments:
      0
    • Comments:
      0
    • Documentation Status:
      Needed

      Description

      With the new DSpace 7 REST API, a submitter is no longer restricted to editing metadata fields from the submission forms, if they use the /api/core/items endpoint.

      It's easy to modify any metadata field, e.g. using:
      ```
      curl -D - -X PATCH 'http://localhost:8080/rest/api/core/items/517f13ab-3105-42d3-bf55-271876fb726e' -H "Authorization: $authorization" -H "content-type: application/json" --data '[ { "op": "add", "path": "/metadata/dc.description.provenance", "value": [

      { "value": "Some provenance" }

      ] } ]'
      ```

      This is accessible because the user has WRITE permissions on the item
      The same action can be performed by workflow members for their tasks

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. DS-4043 Revisit the security layer of the submission

          • Blocker - Blocks development and/or testing work, production could not run.
          • Accepted / Claimed

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              benbosman Ben Bosman
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: