I’m trying to figure out what should be possible in terms of protecting master digital objects from public view.
Basically, with a representative image like:
… I can edit the URL to http://ouratomsite.ca/uploads/r/institution-name/a/b/b/abbe4a20c2a6d7e3c33be60f74e53b2fb3a21880aee8ad6b07010004f373494d/A-1.tif
(omitting the _141 and changing the extension) to gain access to the master. Because of this limitation (as I had understood it) we haven’t actually been upload high resolution masters.
But I can’t reproduce this on some other AtoM instances, so I’m wondering if we missed a server configuration or something else, following the addition of the PREMIS rights features. (From issue 2714, which mentions the URL issue, I’m gathering there’s a connection.)
We haven’t been using the PREMIS rights feature, and I haven’t spent a lot of time with it so I might be doing something wrong, but testing with a single description, if I set the rights as “conditional” (for which access to the master is not allowed), I can still get access to the master (for that description) by changing the URL. Denying access to the representative image works as expected.
Am I right in thinking that it should be possible to protect the master image from this kind of backdoor access? If so, how to do we implement that?
A possibly related issue: a lot of our images still have a location like:
http://ouratomsite.ca/uploads/r/institution-name/8/5/850534/photo10.jpg
in other words without the UUID. Any new uploads get the UUID. Is there a task we can run to standardize the existing uploads? I’m wondering if we missed something during a previous upgrade.
Thanks
Tim
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To post to this group, send email to ica-ato...@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/YQBPR0101MB137987D4E2B82C4380D483F3E0D80%40YQBPR0101MB1379.CANPRD01.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.
--
David Juhasz Director, AtoM Technical Services Artefactual Systems Inc. www.artefactual.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAC1FhZJ%3DzAo3arKobHf5uz76Ox5AixeRDEXE7XdC_pt9oJznfA%40mail.gmail.com.
/usr/share/nginx/collections
/usr/share/nginx/items
location ~* ^/collections/uploads/r/(.*)$ {
include /etc/nginx/fastcgi_params;
set $index /collections/index.php;
fastcgi_param SCRIPT_FILENAME $document_root$index;
fastcgi_param SCRIPT_NAME $index;
fastcgi_pass atom-collections;
}
...server {listen 80;root /usr/share/nginx/atom;...
For your case where you have multiple AtoM installations, you will need to define the "root" directive in the location blocks for each AtoM instance. I *think* this should work:
location ~* ^/collections/uploads/r/(.*)$ { root /path/to/atom;
include /etc/nginx/fastcgi_params;
set $index /collections/index.php;
fastcgi_param SCRIPT_FILENAME $document_root$index;
fastcgi_param SCRIPT_NAME $index;
fastcgi_pass atom-collections;
}
Best regards, David
--
David Juhasz Director, AtoM Technical Services Artefactual Systems Inc. www.artefactual.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/bf6064d5-3fae-475f-ac73-35ddadb2cb18%40googlegroups.com.
location ~* ^/site1/uploads/r/(.*)$ {
root /usr/share/nginx/site1
include /etc/nginx/fastcgi_params;
set $index /index.php;
fastcgi_param SCRIPT_FILENAME $document_root$index;
fastcgi_param SCRIPT_NAME /site1$index;
fastcgi_pass atom-site1;
}
$this->response->setHttpHeader('X-Accel-Redirect', '/private'.$this->resource->getFullPath());
$webRoot = str_replace('/index.php', '', $_SERVER['SCRIPT_NAME']);
$this->response->setHttpHeader('X-Accel-Redirect', $webRoot . '/private' . $this->resource->getFullPath());
--
David Juhasz Director, AtoM Technical Services Artefactual Systems Inc. www.artefactual.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/1e2ec82b-db84-4b1d-bf1b-00100bcdf8b0%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/09037a26-5f6d-4c70-9db8-690546590ef8%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/b848e5a1-49b8-450b-932f-2ca60d0efdf6%40googlegroups.com.