Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-3642

Authority Control via Choices displays values without authorisation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.6, 5.7, 6.0, 6.1
    • Fix Version/s: None
    • Component/s: JSPUI, XMLUI
    • Labels:
      None
    • Environment:
      All
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Needed

      Description

      Plugins for the authority control mechanisms (Choice plugins) delivers data without any prior authorization. This is in many cases of authority data not a problem, but can be used to systematically crawl full directories, if authority control is based on LDAP or similar information. It also is one possible point to inject queries into third-party data sources. At least DSpace should check, if the requesting user is registered to DSpace and allowed to submit to at least one collection.

      An example URL of such unauthorized access is (works only for configured authority control for field dc.contributor.author: https://some-dspace-url.here/choices/dc_contributor_author?query=test&format=select&collection=1&start=0&limit=0

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Eike Eike Kleiner
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: