[GeoNetwork-devel] GetRecordById / ACL

Hello,

While working on a client’s project based on GeoNetwork, I figured out that the GetRecordById CSW operation was not checking the current user’s rights before giving back the metadata as a CSW response. I attached a little patch which aims to fix this. Tested on trunk, with sample metadata (hydrological basins of africa) ; after removing all privileges to non-logged people :

% curl ‘http://localhost:8080/geonetwork/srv/fr/csw?service=CSW&request=GetRecordById&id=da165110-88fd-11da-a88f-000d939bc5d8

Leads to the following response :

<?xml version="1.0" encoding="UTF-8"?>

<ows:ExceptionReport xmlns:ows=“http://www.opengis.net/ows” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” version=“1.0.0” xsi:schemaLocation=“http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd”>
<ows:Exception exceptionCode=“NoApplicableCode”>
ows:ExceptionTextOperationNotAllowedEx : Operation not allowed</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>

Normally it should be possible to use a GetRecords operation as well to get a metadata, but I could not figure out by reading the code if some checks were already done during the building of the lucene query or not ; so this operation seems to be already safe.

Cheers,


Pierre Mauduit

Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac Cedex
Tel : + 33 (0)4 79 44 44 92
http://www.camptocamp.com
pierre.mauduit@anonymised.com

(attachments)

acl-check_GetRecordById.java.patch (1.22 KB)