Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-3186

ItemImport's processContentsFile method does not respect permission settings when registering bitstreams

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.2
    • Fix Version/s: None
    • Component/s: Documentation, DSpace API
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Needed

      Description

      Unless I am mistaken, permission settings in `contents` files are completely ignored for registered bitstream lines (e.g., lines starting with "-r") when using the Simple Archive Format to import items.

      This wouldn't be a big deal if this behavior was documented, or if the import tool errored out when permission config and the registration marker ("-r") were detected on the same line.

      However, this behavior is not documented, and in fact the [documentation](https://wiki.duraspace.org/display/DSDOC5x/Registering+Bitstreams+via+Simple+Archive+Format) shows usage of bitstream registration WITH permission configuration. The permission settings are quietly ignored, and, by default, the bitstreams have anonymous read access.

      If I am correct, existing repositories could be exposing private bitstreams to the world, assuming not every administrator will verify the appropriate policies for every single imported bitstream.

      See for example [ItemImport.java](https://github.com/DSpace/DSpace/blob/dspace-5.2/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java#L1395), although this issue also seems to apply to DSpace master.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              kardeiz Jacob Brown
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: