Opened 12 years ago
Last modified 12 years ago
#1166 new defect
download links on a search result shows timing out 'download files' window for non-connected users
| Reported by: | landry | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | v2.10.0 RC0 |
| Component: | General | Version: | v2.8.0RC2 |
| Keywords: | Cc: |
Description
Using 2.8.0rc2, the search result window shows 'download file' links to non-connected users for attached file resources, even if the privileges to download the files are not granted to non-connected users. This wasnt the case with geosource 2.7.0, so dunno what changed since then.
Clicking those links when non connected brings a 'download files' extjs widget, but it timeouts since in the backend file.prepare.download is called, and this raises an OperationNotAllowedEx exception which is not propagated correctly to the UI. When connected and the rights are granted, it correctly shows a list of downloadable files to select.
2012-11-26 10:00:06,689 INFO [jeeves.service] - Dispatching : prepare.file.download
2012-11-26 10:00:06,692 ERROR [jeeves.service] - Exception when executing service
2012-11-26 10:00:06,692 ERROR [jeeves.service] - (C) Exc : OperationNotAllowedEx : Operation not allowed
2012-11-26 10:00:06,693 DEBUG [jeeves.service] - Raised exception while executing service
<error id="operation-not-allowed">
<message>Operation not allowed</message>
<class>OperationNotAllowedEx</class>
<stack>
<at class="org.fao.geonet.lib.ResourceLib" file="ResourceLib.java" line="131" method="checkPrivilege" />
<at class="org.fao.geonet.services.metadata.PrepareFileDownload" file="PrepareFileDownload.java" line="94" method="exec" />
<at class="jeeves.server.dispatchers.ServiceInfo" file="ServiceInfo.java" line="230" method="execService" />
<at class="jeeves.server.dispatchers.ServiceInfo" file="ServiceInfo.java" line="139" method="execServices" />
<at class="jeeves.server.dispatchers.ServiceManager" file="ServiceManager.java" line="420" method="dispatch" />
<at class="jeeves.server.JeevesEngine" file="JeevesEngine.java" line="747" method="dispatch" />
<at class="jeeves.server.sources.http.JeevesServlet" file="JeevesServlet.java" line="208" method="execute" />
<at class="jeeves.server.sources.http.JeevesServlet" file="JeevesServlet.java" line="109" method="doGet" />
<at class="javax.servlet.http.HttpServlet" file="HttpServlet.java" line="617" method="service" />
<at class="javax.servlet.http.HttpServlet" file="HttpServlet.java" line="717" method="service" />
<skip>...</skip>
<at class="org.fao.geonet.monitor.webapp.WebappMetricsFilter" file="WebappMetricsFilter.java" line="96" method="doFilter" />
<skip>...</skip>
<at class="org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter" file="MetricsRegistryInitializerFilter.java" line="31" method="doFilter" />
<skip>...</skip>
</stack>
<request>
<language>fre</language>
<service>prepare.file.download</service>
</request>
</error>
So, two things:
- why are the download links shown at all to non-connected users ? smth changed in the config ? In both cases i'm using resources.get for file access
- can the exception be properly shown to the user instead of leaving the user with a timing-out widget ?
(and of course, anyone can reproduce it ?)
Change History (6)
comment:1 by , 12 years ago
follow-up: 3 comment:2 by , 12 years ago
Not sure what is going on? I can't seem to reproduce this in GeoNetwork 2.8.0RC2:
- classic interface or new widgets interface: With resources.get or file.disclaimer service I do not see download links to files that I don't have download access rights on in search results window
- in widgets interface though, when I open the record up in the viewer, I am shown the download link but clicking on the link brings up OperationNotAllowedEx which is ok I guess (probably shouldn't show the link at all I suppose).
comment:3 by , 12 years ago
Replying to simonp:
Not sure what is going on? I can't seem to reproduce this in GeoNetwork 2.8.0RC2:
- classic interface or new widgets interface: With resources.get or file.disclaimer service I do not see download links to files that I don't have download access rights on in search results window
Here in the search results interface, when clicking on the 'download files' link the extjs panel loads forever/timeouts. In the log i get the OperationNotAllowed message, but it seems the error is not properly propagated to the extjs ui... though i get :
{{ 2013-02-22 14:24:50,931 INFO [jeeves.service] - -> dispatching to error for : prepare.file.download 2013-02-22 14:24:50,949 INFO [jeeves.service] - -> transforming with stylesheet : /var/lib/tomcat-georchestra/webapps/geocat/xsl/error.xsl 2013-02-22 14:24:51,200 INFO [jeeves.service] - -> end error transformation for : prepare.file.download 2013-02-22 14:24:51,200 INFO [jeeves.service] - -> error ended for : prepare.file.download }}
But yes the prepare.file.download link should be displayed to non-connected users. Note that here i've backported http://trac.osgeo.org/geonetwork/ticket/1107 from master to my local 2.8.x to fix a bug where download links were duplicated for each download.
- in widgets interface though, when I open the record up in the viewer, I am shown the download link but clicking on the link brings up OperationNotAllowedEx which is ok I guess (probably shouldn't show the link at all I suppose).
I have the same behaviour here if i view the record, clicking on the download link brings OperationNotAllowedEx. So it shouldnt be shown here either.
comment:4 by , 12 years ago
Just for reference, i found out why prepare.file.download showed nothing in my case :
For some unknown reason the file download doesnt have the filename directly in the <gmd:name> tag but inside MimeFileType - no idea how it went this way.
<gmd:name> <gmx:MimeFileType xmlns:gmx="http://www.isotc211.org/2005/gmx" type="application/pdf">Carte_AMII.pdf</gmx:MimeFileType> </gmd:name>
Thus 'name' attribute is not set when getting the minimized xml :
<link title="Cartographie : R?ponses ? l?AMII - Programme National Tr?s Haut D?bit" href="http://ids-dev.craig.fr/geocat/srv/eng/resources.get?id=152&fname=Carte_AMII.pdf&access=private" name="" protocol="WWW:DOWNLOAD-1.0-http--download" type="application/pdf" /> <link type="download">http://ids-dev.craig.fr/geocat/srv/eng/resources.get?id=152&fname=Carte_AMII.pdf&access=private</link>
and the xpath request in PrepareFileDownload.java doesnt catch it. (note that it doesnt select the 'type=download' links, while it could use them and parse the URL)
A workaround is to get the name from the href link, and additionally check if it is not empty as an additional check. I admit it's not the best fix, but at least it sorta fixes the issue for me.
diff --git a/web/src/main/java/org/fao/geonet/services/metadata/PrepareFileDownload.java b/web/src/main/java/org/fao/geonet/services/metadata/PrepareFileDownload.java
index af24b64..2baa7c0 100644
--- a/web/src/main/java/org/fao/geonet/services/metadata/PrepareFileDownload.java
+++ b/web/src/main/java/org/fao/geonet/services/metadata/PrepareFileDownload.java
@@ -112,7 +112,7 @@ public class PrepareFileDownload implements Service
//--- process links to a file (have name field not blank)
//--- if they are a reference to a downloadable local file then get size
//--- and date modified, if not then set local to false
- xp = XPath.newInstance ("link[starts-with(@protocol,'WWW:DOWNLOAD') and @name!='']");
+ xp = XPath.newInstance ("link[starts-with(@protocol,'WWW:DOWNLOAD')]");
elems = xp.selectNodes(elBrief);
response = processDownloadLinks(context, id, dm.getSiteURL(), elems, response);
@@ -158,11 +158,14 @@ public class PrepareFileDownload implements Service
if (lp.startsWith("access=")) {
access = lp.substring(lp.indexOf('=')+1);
}
+ if (lp.startsWith("fname=")) {
+ fname = lp.substring(lp.indexOf('=')+1);
+ }
}
File dir = new File(Lib.resource.getDir(context, access, id));
File file= new File(dir, fname);
- if (file.exists()) {
+ if (fname != "" && file.exists()) {
size = file.length();
Date date = new Date(file.lastModified());
dateModified = sdf.format(date);
@@ -175,7 +178,8 @@ public class PrepareFileDownload implements Service
elem.setAttribute("found",found+"");
elem.setAttribute("local",local+"");
elem.setAttribute("download","true");
- response.addContent(elem);
+ if (found)
+ response.addContent(elem);
} else {
context.info("Unknown download link: "+Xml.getString(elem));
}
follow-up: 6 comment:5 by , 12 years ago
{{ ..... INFO [jeeves.service] - -> transforming with stylesheet : /var/lib/tomcat-georchestra/webapps/geocat/xsl/error.xsl .... }}
Are you running GeoNetwork 2.8.x RC2? Perhaps you are running some other version of GeoNetwork (geocat?, geosource?)
comment:6 by , 12 years ago
Replying to simonp:
{{ ..... INFO [jeeves.service] - -> transforming with stylesheet : /var/lib/tomcat-georchestra/webapps/geocat/xsl/error.xsl .... }}
Are you running GeoNetwork 2.8.x RC2? Perhaps you are running some other version of GeoNetwork (geocat?, geosource?)
I'm running tip of regular geonetwork 2.8.x github branch, with some commits backported (mainly #1107 but also fixes for #1226, #1227 & #1228 among others) and some parts from geosource on top of it. 'geocat' is the name of the war when i deploy it, but it's geonetwork with extjs gui.
prepare.file.download calls services/metadata/PrepareFileDownload.java which in turns calls Lib.resource.checkPrivilege() which requires credentials - Guest cant call that so the 'downloadLinks' should be hidden to unauthenticated users.
Furthermore, it only returns the links to authenticated users so far, i havent been able to get the real download links for my catalog - it seems processDownloadLinks fails to find all the files. I'm considering disabling it completely, since all download links are available separately outside of the 'downloadLinks' window.