Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4394

Ensure that the new REST API hide information to not authorized users

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Duplicate
    • Affects Version/s: 7.0
    • Fix Version/s: None
    • Component/s: REST API v7
    • Labels:
    • Attachments:
      0
    • Comments:
      3
    • Documentation Status:
      Not Required

      Description

      At the current stage we have implemented gross grain control over the endpoints using pre-authorize spring security interceptors.
      In many case the authorization are not simple access / deny, for some endpoints users allowed to access the endpoint should read only a partial object. This can apply both to the object that is target by the endpoint than other linked objects. Some examples:

      The item endpoint should protect the dc.description.provenance metadata (or any hidden metadata) from "normal users", an accessible item should not list administrative bundle to normal users. On the collection endpoint the associated groups and policies should be hidden to normal users and so on

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            bollini Andrea Bollini (4Science)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: