[GeoNetwork-devel] Reviewers/Editors don't see list of xsl conversions when importing records

Hi,

In Geonetwork 3.0.x I’ve just noticed that reviewers/editors don’t have access to the xsl transformations when importing a new record. Administrators do. To replicate, create a reviewer or editor user, add to one or more groups, sign in as that user, go to contribute and then import new records, and then click the dropdown list named “Apply xslt conversion”. When logged in as an admin, this list is complete. When logged in as an editor or a reviewer it’s blank.

Is this by design, or a bug? If it’s by design, then I don’t think it should be possible to see that option at all.

Thanks

Jo

···

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Hi List,

Can anyone confirm this issue for me? I’m seeing it in both 3.0.4 and 3.0.5 snapshot, happy to submit a bug for it if necessary but I’d like it confirmed first.

Thanks

Jo

···

On Mon, Sep 12, 2016 at 2:38 PM, Jo Cook <jocook@anonymised.com> wrote:

Hi,

In Geonetwork 3.0.x I’ve just noticed that reviewers/editors don’t have access to the xsl transformations when importing a new record. Administrators do. To replicate, create a reviewer or editor user, add to one or more groups, sign in as that user, go to contribute and then import new records, and then click the dropdown list named “Apply xslt conversion”. When logged in as an admin, this list is complete. When logged in as an editor or a reviewer it’s blank.

Is this by design, or a bug? If it’s by design, then I don’t think it should be possible to see that option at all.

Thanks

Jo

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Hi

The problem is that the service used to retrieve that list (admin.harvester.info) is allowed only for UserAdmin and higher profiles. See:

https://github.com/geonetwork/core-geonetwork/blob/3.0.x/web/src/main/webapp/WEB-INF/config-security/config-security-mapping.xml#L288

To fix it a quick solution is to update to:

<sec:intercept-url pattern=“/[a-zA-Z0-9_-]+/[a-z]{2,3}/admin.harvester.info!?.*” access=“hasRole(‘Editor’)”/>

But before committing I want to check if that change can enable to access unwanted information. Seem a quite generic service for harvester information retrieval. Not nice, that is shared with other functionalities.

Regards,
Jose García

···

On Thu, Sep 15, 2016 at 2:06 PM, Jo Cook <jocook@anonymised.com> wrote:

Hi List,

Can anyone confirm this issue for me? I’m seeing it in both 3.0.4 and 3.0.5 snapshot, happy to submit a bug for it if necessary but I’d like it confirmed first.

Thanks

Jo


Astun Technology Ltd, The Coach House, 17 West Street, Epsom, Surrey, KT18 7RL, UK
t:+44 1372 744 009 w: astuntechnology.com twitter:@astuntech

iShare - enterprise geographic intelligence platform
GeoServer, PostGIS and QGIS training
Helpdesk and customer portal

Company registration no. 5410695. Registered in England and Wales. Registered office: 120 Manor Green Road, Epsom, Surrey, KT19 8LN VAT no. 864201149.



GeoNetwork-devel mailing list
GeoNetwork-devel@…537…sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

On Mon, Sep 12, 2016 at 2:38 PM, Jo Cook <jocook@anonymised.com> wrote:

Hi,

In Geonetwork 3.0.x I’ve just noticed that reviewers/editors don’t have access to the xsl transformations when importing a new record. Administrators do. To replicate, create a reviewer or editor user, add to one or more groups, sign in as that user, go to contribute and then import new records, and then click the dropdown list named “Apply xslt conversion”. When logged in as an admin, this list is complete. When logged in as an editor or a reviewer it’s blank.

Is this by design, or a bug? If it’s by design, then I don’t think it should be possible to see that option at all.

Thanks

Jo

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Hi

Checking the service, it returns information about the icons used for harvesting, harvesting types, and stylesheets and fragments. I don’t see any issue allowing the service to editors, seem no critical information and also it’s only to retrieve information.

Some of the types, return full paths for example for fragments, I don’t like too much that as reveals the paths in the server, but thats other stuff.

If no additional comment from other developers on monday will commit the change.

Regards,
Jose García

···

On Fri, Sep 16, 2016 at 12:43 PM, Jose Garcia <jose.garcia@anonymised.com> wrote:

Hi

The problem is that the service used to retrieve that list (admin.harvester.info) is allowed only for UserAdmin and higher profiles. See:

https://github.com/geonetwork/core-geonetwork/blob/3.0.x/web/src/main/webapp/WEB-INF/config-security/config-security-mapping.xml#L288

To fix it a quick solution is to update to:

<sec:intercept-url pattern=“/[a-zA-Z0-9_-]+/[a-z]{2,3}/admin.harvester.info!?.*” access=“hasRole(‘Editor’)”/>

But before committing I want to check if that change can enable to access unwanted information. Seem a quite generic service for harvester information retrieval. Not nice, that is shared with other functionalities.

Regards,
Jose García

On Thu, Sep 15, 2016 at 2:06 PM, Jo Cook <jocook@anonymised.com> wrote:

Hi List,

Can anyone confirm this issue for me? I’m seeing it in both 3.0.4 and 3.0.5 snapshot, happy to submit a bug for it if necessary but I’d like it confirmed first.

Thanks

Jo


Astun Technology Ltd, The Coach House, 17 West Street, Epsom, Surrey, KT18 7RL, UK
t:+44 1372 744 009 w: astuntechnology.com twitter:@astuntech

iShare - enterprise geographic intelligence platform
GeoServer, PostGIS and QGIS training
Helpdesk and customer portal

Company registration no. 5410695. Registered in England and Wales. Registered office: 120 Manor Green Road, Epsom, Surrey, KT19 8LN VAT no. 864201149.



GeoNetwork-devel mailing list
GeoNetwork-devel@anonymised.comorge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

On Mon, Sep 12, 2016 at 2:38 PM, Jo Cook <jocook@anonymised.com> wrote:

Hi,

In Geonetwork 3.0.x I’ve just noticed that reviewers/editors don’t have access to the xsl transformations when importing a new record. Administrators do. To replicate, create a reviewer or editor user, add to one or more groups, sign in as that user, go to contribute and then import new records, and then click the dropdown list named “Apply xslt conversion”. When logged in as an admin, this list is complete. When logged in as an editor or a reviewer it’s blank.

Is this by design, or a bug? If it’s by design, then I don’t think it should be possible to see that option at all.

Thanks

Jo

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Jo Cook
t:+44 7930 524 155/twitter:@archaeogeek

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.