Bug #12387

OAI-PMH GetRecord verb should filter Draft descriptions consistent with other verb responses

Added by David Juhasz about 2 years ago. Updated 5 months ago.

Status:VerifiedStart date:08/15/2018
Priority:MediumDue date:
Assignee:Dan Gillean% Done:

0%

Category:OAI-PMHEstimated time:8.00 hours
Target version:Release 2.6.0
Google Code Legacy ID: Tested version:2.4
Sponsored:No Requires documentation:

Description

Summary
A OAI-PMH "GetRecord" request will erroneously return a description with a publication status of "Draft" if the user is logged in and running the request/response via the browser. This is because GetRecord is using ACL checks, while other verbs are pre-filtering out draft records.

To reproduce:
1) Find or create a draft archival description, and determine the OAI-PMH identifier (e.g. oai:10.10.10.10:djjuhasztest_3)
2) Request the description via OAI-PMH "GetRecord" verb (e.g. http://10.10.10.10/;oai?verb=GetRecord&identifier=oai:10.10.10.10:djjuhasztest_3&metadataPrefix=oai_dc)

Resulting error
The draft description is returned in the OAI-PMH response for the logged in user's browser session, e.g.

<OAI-PMH xmlns="http://www.openarchives.org/OAI/2.0/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.openarchives.org/OAI/2.0/ http://www.openarchives.org/OAI/2.0/OAI-PMH.xsd">
  <responseDate>2018-08-15T23:36:45Z</responseDate>
  <request verb="GetRecord" identifier="oai:10.10.10.10:djjuhasztest_3" metadataPrefix="oai_dc">http://10.10.10.10/;oai</request>
  <GetRecord>
    <record>
      <header>
        <identifier>oai:10.10.10.10:djjuhasztest_3</identifier>
        <datestamp>2018-08-15T23:36:43Z</datestamp>
        <setSpec>oai:10.10.10.10:djjuhasztest_3</setSpec>
      </header>
      <metadata>
        <oai_dc:dc xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.openarchives.org/OAI/2.0/oai_dc/ http://www.openarchives.org/OAI/2.0/oai_dc.xsd">
          <dc:title>Test Fonds</dc:title>
          <dc:creator>Juhasz, David J.</dc:creator>
          <dc:date>2018</dc:date>
          <dc:format>Testing the fonds</dc:format>
          <dc:identifier>http://localhost/test-fonds</dc:identifier>
          <dc:identifier>test-1234</dc:identifier>
        </oai_dc:dc>
      </metadata>
    </record>
  </GetRecord>
</OAI-PMH>

Expected result
The OAI-PMH response should return a "idDoesNotExist" error message.

Notes
  • The OAI-PMH ListRecords and ListIdentifiers responses correctly omit the draft description

History

#1 Updated by David Juhasz about 2 years ago

  • Description updated (diff)

#2 Updated by David Juhasz about 2 years ago

  • Description updated (diff)

Correct response body

#3 Updated by David Juhasz about 2 years ago

The GetRecord and ListRecords verbs correctly omit Draft descriptions when requesting the "oai_ead" metadata format.

#4 Updated by Mike Cantelon about 2 years ago

  • Status changed from New to Feedback

#6 Updated by David Juhasz about 2 years ago

  • Assignee deleted (David Juhasz)
  • Target version changed from Release 2.4.1 to Release 2.5.0
  • Estimated time set to 8.00

#8 Updated by Dan Gillean over 1 year ago

  • Target version changed from Release 2.5.0 to Release 2.5.1

#9 Updated by Corinne Rogers over 1 year ago

  • Target version changed from Release 2.5.1 to Release 2.6.0

#10 Updated by Dan Gillean 5 months ago

  • Status changed from Feedback to New
  • Target version deleted (Release 2.6.0)

Removing release tag since we haven't yet dealt with this.

#11 Updated by José Raddaoui Marín 5 months ago

  • Status changed from New to In progress
  • Assignee set to Dan Gillean
  • Target version set to Release 2.6.0

Some notes about this issue:

First of all, the browser session is being considered in the OAI plugin so, if you visit a record in the browser while you're logged in, you may be able to see draft records based on your permissions. However, when you log out, draft records doesn't show up in the GetRecord verb either. The ACL check occurs in the XML template ATM which avoids the display of the "idDoesNotExist" error message. This has been addressed in:

https://github.com/artefactual/atom/commit/0b7b67a2e9a53973f0efebdfdbbe6a496889721f

Second, the ListIdentifiers and ListRecords verbs filter drafts in all cases in here, without using ACL and therefore not considering the user session.

To normalize this verbs, we need to decide if we want to hide drafts always or if we want to trust the ACL checks in all cases.

#12 Updated by Dan Gillean 5 months ago

  • Subject changed from OAI-PMH GetRecord verb should not return Draft descriptions to OAI-PMH GetRecord verb should filter Draft descriptions consistent with other verb responses
  • Private changed from Yes to No

I've made the issue public now (since it sounds like it was not actually a security issue) and updated the title.

#13 Updated by Dan Gillean 5 months ago

  • Description updated (diff)

#14 Updated by José Raddaoui Marín 5 months ago

  • Status changed from In progress to Code Review
  • Assignee changed from Dan Gillean to Steve Breker

#15 Updated by José Raddaoui Marín 5 months ago

  • Status changed from Code Review to QA/Review
  • Assignee changed from Steve Breker to Dan Gillean

Merged in qa/2.6.x.

#16 Updated by Dan Gillean 5 months ago

  • Status changed from QA/Review to Verified

Also available in: Atom PDF