[Dspace-tech] Withdrawn items

16 views
Skip to first unread message

Ron Stevenhaagen

unread,
Aug 25, 2015, 11:11:02 AM8/25/15
to DSpac...@lists.sourceforge.net

We have been withdrawing items from our collections from time to time when authors decide they would like to restrict their submission. We can verify that the item is no longer viewable through the browse and search functions in dspace  after making the withdrawal.  However we recently discovered that the restricted items are still viewable through a web browser by entering the URL of the pdf located in the bitstream directory. This is also evident when I visit other dspace sites on the web. This appears to be a security issue/bug  in DSpace as the items are not actually withdrawn but only partially hidden. Has anyone else encounter this issue and if so is there a fix or work around.

 

We also discovered that when an item is withdrawn the browse function in dspace throws the following exception. The browse lists still contain a reference to the withdrawn item but should exclude the withdrawn item from its list because the item can’t  be browsed. When the item is reinstated the exceptions stop. This also appears to be a bug.

 

An internal server error occurred on http://qspace.library.queensu.ca:

 

Date:       9/9/08 1:49 PM

Session ID: B0F698642DC0A0C3C4B6D290843C6005

 

-- URL Was: http://qspace.library.queensu.ca/dspace/browse-title?top=1974%2F1236

-- Method: GET

-- Parameters were:

-- top: "1974/1236"

 

 

Exception:

org.postgresql.util.PSQLException: No value specified for parameter 2.

      at org.postgresql.core.v3.SimpleParameterList.checkAllParametersSet(SimpleParameterList.java:150)

      at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:179)

      at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:452)

      at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:354)

      at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:258)

      at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:92)

      at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:92)

      at org.dspace.storage.rdbms.DatabaseManager.queryPrepared(DatabaseManager.java:354)

      at org.dspace.browse.Browse.getResultsAfterFocus(Browse.java:886)

      at org.dspace.browse.Browse.doBrowse(Browse.java:725)

      at org.dspace.browse.Browse.getItemsByTitle(Browse.java:174)

      at org.dspace.app.webui.servlet.BrowseServlet.doDSGet(BrowseServlet.java:359)

      at org.dspace.app.webui.servlet.DSpaceServlet.processRequest(DSpaceServlet.java:151)

      at org.dspace.app.webui.servlet.DSpaceServlet.doGet(DSpaceServlet.java:99)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

      at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

      at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

      at java.lang.Thread.run(Thread.java:595)

 

 

Ron Stevenhaagen

Technical Specialist

Information Technology Services

Queen's University

Kingston, Ontario

 

 

 

 

Dorothea Salo

unread,
Aug 25, 2015, 11:11:12 AM8/25/15
to Dspace Tech
> However we recently discovered that
> the restricted items are still viewable through a web browser by entering
> the URL of the pdf located in the bitstream directory. This is also evident
> when I visit other dspace sites on the web. This appears to be a security
> issue/bug in DSpace as the items are not actually withdrawn but only
> partially hidden. Has anyone else encounter this issue and if so is there a
> fix or work around.

I believe this has been filed as a bug. I don't know of an easy
workaround off the top of my head, though going into the item and
removing anonymous READ privileges on the bitstream ought to do the
trick. (Maybe the withdraw code ought to do this by default?)

> We also discovered that when an item is withdrawn the browse function in
> dspace throws the following exception.

What version are you running? I thought that had been fixed round
about 1.4.1. (Plied with sufficient strong drink, I can be convinced
to tell the story of how that bug bit me...)

Dorothea

--
Dorothea Salo ds...@library.wisc.edu
Digital Repository Librarian AIM: mindsatuw
University of Wisconsin
Rm 218, Memorial Library
(608) 262-5493

Reply all
Reply to author
Forward
0 new messages