Opened 13 years ago
Closed 13 years ago
#468 closed defect (fixed)
GetRecordById ACL issues
| Reported by: | pmauduit | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | v2.7.0 |
| Component: | Catalog server | Version: | v2.6.3 |
| Keywords: | CSW GetRecordById | Cc: |
Description
I figured out that the GetRecordById CSW operation was not checking the current user's rights before giving back the metadata as a CSW response. I attached a little patch which aims to fix this. Tested on trunk, with sample metadata (hydrological basins of africa) ; after removing all privileges to non-logged people :
% curl 'http://localhost:8080/geonetwork/srv/fr/csw?service=CSW&request=GetRecordById&id=da165110-88fd-11da-a88f-000d939bc5d8'
Leads to the following response :
<?xml version="1.0" encoding="UTF-8"?>
<ows:ExceptionReport xmlns:ows="http://www.opengis.net/ows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0.0" xsi:schemaLocation="http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd">
<ows:Exception exceptionCode="NoApplicableCode">
<ows:ExceptionText>OperationNotAllowedEx : Operation not allowed</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>
It is normally possible to use a GetRecords to get a metadata as well, but the current code on GetRecords seems to use specific lucene fields which already implements the ACLs correctly, so IMHO no modification of this operation is necessary.
Attachments (1)
Change History (3)
by , 13 years ago
| Attachment: | acl-check_GetRecordById.java.patch added |
|---|
comment:1 by , 13 years ago
| Component: | General → Catalog server |
|---|
comment:2 by , 13 years ago
| Milestone: | v2.6.4 → v2.7.0 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
r7420