Access to draft digital file from unauthenticated user.

39 views
Skip to first unread message

romain guedj

unread,
Apr 21, 2021, 2:12:22 AM4/21/21
to AtoM Users

Hi All,

Context:

AtoM 2.6.3 – 184

Issue:

An authenticated user could access to a digital object if he has the URL of the archival description.

Step to reproduce the issue:

JPG file (CD.jpg) of a draft “fonds Kehren Oberson test” is displayed from authenticated user.

authenticatedUser01.PNG 

An authenticated user could access to a digital object if he has the URL of the digital file

 authenticatedUser-digitalObject02.PNG

Unauthenticated user cannot access to a draft archival description which is expected:

 UnauthenticatedUser01.PNG

Unauthenticated user can access to an digital object if he has the URL of digital file which is not expected. URL https://archivesqa.local.bcu-fribourg.ch/uploads/r/bcu-fribourg/3/8/2/382b9d6e92e1d79506d4e0aaaf2d67b535f11f58a986c5e69f372c4aa4787264/6b61563e-4a6b-4441-8745-f4a457d83cb5-CD.jpg

 UnauthenticatedUser-digitalObject02.PNG

I am wondering if it is a normal behavior of AtoM or we miss something around nginx configuration (nginx/1.14.0).

Thanks for your help and have a great day.

Cheers,

Romain

romain guedj

unread,
Apr 21, 2021, 2:19:21 AM4/21/21
to AtoM Users
Sorry for this error:
instead of
" An authenticated user could access to a digital object if he has the URL of the archival description."
please read:
"An unauthenticated user could access to a digital object if he has the URL of the digital object."

Dan Gillean

unread,
Apr 21, 2021, 10:06:57 AM4/21/21
to ICA-AtoM Users
Hi Romain, 

I've done a quick test in our QA branch for 2.7 and have been unable to reproduce this. I was also unable to reproduce this in the 2.6.4 demo site: 
  1. Check your archival description permissions for the anonymous user - is the View Master permission setting set to Grant? If yes, change it to Deny and this should hopefully resolve the issue
  2. It's possible that access to the master is cached in your web browser if you were testing this by logging out and using the same browser and URL. I would recommend that you try testing as a public user in a different browser, ideally in Incognito mode (where the cache is typically disabled by default) or else be sure to clear your web browser cache before re-testing after logging out. 
Let us know what you find! 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him


--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/aab863e8-bc5a-42cd-8c06-f3475b274cb8n%40googlegroups.com.

romain guedj

unread,
Apr 21, 2021, 10:36:02 AM4/21/21
to AtoM Users
Hi Dan,

Thank you for your quick reply.

Workaround 2:
I have tested in incognito mode

Workaround 1:
If I change the permission of master for anonymous user to Deny, anonymous user would not be able to access to master at all what ever the status of the archival description is: draft or published.
I try to deny the access ot the digital object of a draft archival description for anonymous user but I would like to keep access to the digital object of published archival description for anonymous user.

Cheers,

Romain

Dan Gillean

unread,
Apr 22, 2021, 10:23:56 AM4/22/21
to ICA-AtoM Users
Hi Romain, 

I see - that makes sense, regarding your second point. 

I've dug a little deeper on this to determine the difference in what we're seeing. In 2.7 we've done a bit of an overhaul of some of the permissions code, and in doing so, we also found and fixed this bug where users can access the master DO URL of a draft description. The fix is visible as part this commit: 
So - a fix will be coming in the next major AtoM release (AtoM 2.7), which we are currently planning on releasing later this year. If you have a development environment, you could potentially try applying this commit as a patch - however, it's a major change across several files, and I'm not sure if any of those changes depend on other previous commits in our development branch that might not be in the stable 2.6 branch. As such, if you do decide to experiment with this, I strongly recommend that you do so at your own risk, back up your data, and do NOT test this approach first on a production instance until you've done thorough testing in a test instance and have found no other issues! 

Regards, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056
@accesstomemory
he / him

romain guedj

unread,
Apr 26, 2021, 4:51:15 AM4/26/21
to AtoM Users
Hi Dan,

Perfect, just wait the upcoming major version.

Thanks again,

Cheers,

Romain
Reply all
Reply to author
Forward
0 new messages