Restrict access to logged-in users only

[Sean Carte]

Is there a way to restrict access to logged-in users only, so that anonymous access to collections requires a log-in?

I understand that I can simply remove the anonymous READ authorization for a collection, but then I would need to create a READ authorization for a particular group, and there isn't a 'logged-in users' group.

I'm sure I must be missing something very obvious here, please could someone enlighten me.

DSpace version:  6.3
  SCM revision:  813800ce1736ec503fdcfbee4d86de836788f87c
    SCM branch:  UNKNOWN
            OS:  Linux(amd64) version 4.15.0-130-generic
  Applications:
     Discovery:  enabled.
           JRE:  Private Build version 1.8.0_275
   Ant version:  Apache Ant(TM) version 1.10.5 compiled on March 28 2019
 Maven version:  3.3.9

[José Geraldo]

Hi,

You can use the "login.specialgroup" and change the READ policy for this group.

https://wiki.lyrasis.org/display/DSDOC5x/Authentication+Plugins#AuthenticationPlugins-ConfiguringAuthenticationbyPassword

--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNVyzuQTjSaQCEmVq2DS7PTh8Pf_XeoYPMa-cOUvGPybA%40mail.gmail.com.

--

At.te,

José Geraldo

[Sean Carte]

Thanks, José!

[Sean Carte]

Using the login.specialgroup, along with removing default read access to the collections, does restrict access to collections listed on the home page. However, anonymous access is still available to items made available by Discovery. That is, in the 'Recently Added' section, or via search, or the browse lists.

Removing anonymous read access from items' bitstreams and replacing it with read access for the authenticated special group does work, but I'm going to have to repeat this process every time a new item is added. Also, the wildcard policy admin tool seems to time out when used on multiple collections, or even large collections (> ~1000), in which case the items are not modified.

I suppose I could modify the UI to remove the ability to use discovery, etc., but that rather defeats the purpose of using DSpace.

Is there a better approach?

My goal is to have all items available to logged-in users, but nothing available to anonymous users.

DSpace version:  6.3

XMLUI

Mirage2 theme

[José Geraldo]

Hi,

Items accepted in a collection inherit the associated authorization policies DEFAULT_ITEM_READ and DEFAULT_BITSTREAM_READ, which become READ policies for the item and its attachments.

However, when changing the default policies for a collection, once items are accepted, the policies for existing items will not be changed automatically.

Soon, a user, without logging in and in possession of the link to one of the items in the collection, will have access to the item and its contents.

To get around this point, you will need to change the permissions of the items in the collection using the Policy Administration Tool to make them accessible only to logged-in users.

For each item in a collection, there is only one READ policy configured for the Anonymous group.

However, the tool does not have the option to edit policies, having only the options to add and delete policies.

Therefore, it will be necessary to first delete the policies for items and binary files (attachments) and then create new READ policies linked to the special group for them.

This process is done one collection at a time, if you need to apply to all collections, a suggestion would be to apply it to the database.

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhOjVZegc7NWRkk8gCLL1S12TJ8huvQYykSBE6r0CJySJg%40mail.gmail.com.

--

At.te,

José Geraldo

[Sean Carte]

Thanks again, José; you've been extremely helpful.

[Sean Carte]

For most collections, using the wildcard policy admin tool has worked very well, and I have been able to restrict their bitstreams to logged-in users. However, I have two collections with over 1000 items. For one of these, with 1688 items, I was not able to remove the anonymous read access; the browser reports an internal error, but there's nothing in the tomcat or dspace logs. Another collection, of 1012 items, allowed me to remove anonymous read access, but I have not been able to add READ access for the logged-in group.

Apart from moving hundreds of items out of those collections, to reduce their size, does anybody have any suggestions on how I should proceed?

DSpace version:  6.3

XMLUI

Mirage2 theme

[José Geraldo]

Another option would be to backup your database and make changes to the database.

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhOnK9WrdL5Y%2BXpsK9cjnYdfjiRV_EzAo%2BrqRTqB0e93JA%40mail.gmail.com.

--

At.te,

José Geraldo

[Sean Carte]

I was hoping for some guidance on that. I did look at the tables, but wasn't able to find anything obviously related to access rights.

Or did you mean that I should use the database to move items from the collection? That might work.

[José Geraldo]

Use the database to change or add permission.

The table used is resourcepolicy. 

Updating the epersongroup_id to id of the special group created e o filtro por action_id.

action_id:

0 read
1 write
3 add
4 remove
9 default_bitstream_read
10 default_item_read
11 admin

--

At.te,

José Geraldo

[Sean Carte]

Thanks yet again, José! After much testing, I was able to modify the rights to all items in the repository. I would not have been able to get this right without your assistance.

[José Geraldo]

Very good.

Needing can send email: jos...@gmail.com

--

At.te,

José Geraldo

[Marc]

Dear José and group,

Hope you don’t mind me hijacking this thread. Would setting the login.specialgroup work for DSpace CRIS 5.10 using ORCID as the authentication method? I basically just want to restrict access to the default_bitstream_read, to logged on users. Meaning that you have to be logged in to be able to download files.

Thank you

Marc

To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CANP4ikSG2PUiLG%2BsR-WN6WEmPnbqoA-N8s3Dtpf9A1dXXjXfmQ%40mail.gmail.com.

[Sean Carte]

I've only been restricting access in 6.3, but I don't see why login.specialgroup wouldn't work in DSpace-CRIS 5.10. The type of authentication used shouldn't matter either.