#468: GetRecordById ACL issues
-------------------------------+--------------------------------------------
Reporter: pmauduit | Owner: geonetwork-devel@…
Type: defect | Status: new
Priority: minor | Milestone: v2.6.4
Component: General | Version: v2.6.3
Keywords: CSW GetRecordById |
-------------------------------+--------------------------------------------
I figured out that the GetRecordById CSW operation was not checking the
current user's rights before giving back the metadata as a CSW response. I
attached a little patch which aims to fix this. Tested on trunk, with
sample metadata (hydrological basins of africa) ; after removing all
privileges to non-logged people :
{{{
% curl
'http://localhost:8080/geonetwork/srv/fr/csw?service=CSW&request=GetRecordById&id=da165110
-88fd-11da-a88f-000d939bc5d8'
}}}
Leads to the following response :
{{{
<?xml version="1.0" encoding="UTF-8"?>
<ows:ExceptionReport xmlns:ows="http://www.opengis.net/ows"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0.0"
xsi:schemaLocation="http://www.opengis.net/ows
http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd">
<ows:Exception exceptionCode="NoApplicableCode">
<ows:ExceptionText>OperationNotAllowedEx : Operation not
allowed</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>
}}}
It is normally possible to use a GetRecords to get a metadata as well, but
the current code on GetRecords seems to use specific lucene fields which
already implements the ACLs correctly, so IMHO no modification of this
operation is necessary.
--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/468>
GeoNetwork opensource Developer website <http://sourceforge.net/projects/geonetwork/>
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.