Limiting CSV export to specific groups

45 views
Skip to first unread message

Raphaël Barman

unread,
Jul 15, 2021, 6:32:04 AM7/15/21
to AtoM Users
Hi,

I was wondering if it is possible to limit the possibility to make CSV exports to specific groups of users. I was not able to find any information in the settings or in the documentation.
We had the issue that a user triggered exports for a large amount of data. This resulted in a job running for several days and blocking the job queue (we have only one worker), which is unwanted.

Best,
Raphaël

Alberto Pereira

unread,
Jul 15, 2021, 9:59:52 AM7/15/21
to ica-ato...@googlegroups.com, AtoM Users
Hi Raphaël,

I don't think there's a way to restrict that particular action through the administration - but maybe someone more knowledgeable can chime in.
The way I've been putting in place these kind of restrictions (not sure if any of these have been deprecated since) is to do it in the frontend/template. Before showing the link just make a check for the proper group of the authenticated user. This can be done, for instance, with the "hasCredential" function

| $sf_user->hasCredential(array('contributor', 'editor', 'administrator'), false)

or with the "getAclGroups" function, which you can loop through if you want

| foreach ($sf_user->getAclGroups() as $group) // access name through $group->getName()

The problem with this is, of course, that if a user knows the link he can just type it directly in the browser to access it. Not being able to see the links worked fine for my use case though, so I didn't worry much about it.
For a more secure approach, you can probably use the same idea on the server side. Confirm this, but this particular case should be possible by overriding apps/qubit/modules/informationobject/actions/exportCsvAction.class.php with the same checks. Note though, that the functions I described above will check against session storage. Use "$sf_user->hasGroup()" to check against the database if needed.

cheers
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.

Raphaël Barman

unread,
Jul 16, 2021, 9:29:23 AM7/16/21
to AtoM Users
Hi Alberto,

Thanks a lot for your answer. Hiding the link in the frontend/template is an acceptable solution in my use case.

Best,
Raphaël

Dan Gillean

unread,
Jul 22, 2021, 10:25:02 AM7/22/21
to ICA-AtoM Users
Hi Raphaël,

I haven't tried this myself, but you could experiment with restricting access to the import pages in the user interface by group by adjusting the following file: 
The following thread may also offer a bit of guidance, as it points you to an example security YAML file where multiple groups are listed (the format is a bit different), and reminds you about clearing all application caches (and your web browser cache) before testing to see if the changes have taken effect. See: 
Keep in mind that you would need to reapply any customizations you make here after future upgrades - so if you find something that works, consider keeping a local copy for reference. 

Let us know how it goes!

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him


Reply all
Reply to author
Forward
0 new messages