Hello,
While working on a client’s project based on GeoNetwork, I figured out that the GetRecordById CSW operation was not checking the current user’s rights before giving back the metadata as a CSW response. I attached a little patch which aims to fix this. Tested on trunk, with sample metadata (hydrological basins of africa) ; after removing all privileges to non-logged people :
Leads to the following response :
<?xml version="1.0" encoding="UTF-8"?><ows:ExceptionReport xmlns:ows=“http://www.opengis.net/ows” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” version=“1.0.0” xsi:schemaLocation=“http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd”>
<ows:Exception exceptionCode=“NoApplicableCode”>
ows:ExceptionTextOperationNotAllowedEx : Operation not allowed</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>
Normally it should be possible to use a GetRecords operation as well to get a metadata, but I could not figure out by reading the code if some checks were already done during the building of the lucene query or not ; so this operation seems to be already safe.
Cheers,
–
Pierre Mauduit
Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac Cedex
Tel : + 33 (0)4 79 44 44 92
http://www.camptocamp.com
pierre.mauduit@anonymised.com
(attachments)
acl-check_GetRecordById.java.patch (1.22 KB)