Feature #13351

Download AIP and AIP files from AtoM UI

Added by David Juhasz 11 months ago. Updated 4 months ago.

Status:VerifiedStart date:12/18/2020
Priority:MediumDue date:
Assignee:Peter Van Garderen% Done:

100%

Category:Archivematica integration
Target version:Release 2.7.0
Google Code Legacy ID: Tested version:
Sponsored:Yes Requires documentation:Yes

Description

Scenario: A user clicks a button to download either an AIP or a single file from
an AIP from the archival description page in AtoM

    Given: AtoM has been configured with the URL and authentication information 
        for the Archivematica Storage Service from which it will request packages
        and files
    And: The authenticated user belongs to a group that has been granted 
        authorization to download AIPs and AIP files
    And: An authenticated user has navigated to an archival description view page
    And: The archival description has a digital object attached
    And: The archival description has an Object UUID displayed in the digital 
        object metadata area
    And: The archival description has an AIP UUID displayed in the Digital object
        metadata area

    When: The user clicks the “Retrieve file” button next to the Object UUID
    Then: A copy of the digital object with the same Object UUID is retrieved from
        the AIP and downloaded to the user’s computer
    And: The user is able to use other parts of the AtoM application without a 
        significant decrease in performance while the file is downloading
    And: A record of the download which includes name of user, Object UUID and 
        date and time of download is made available to AtoM users with 
        administrative privileges

    When: The user clicks the “Retrieve AIP” button next to the AIP UUID
    Then: A copy of the AIP with the same UUID is retrieved from archival storage
        and downloaded to the user’s computer
    And: The user is able to use other parts of the AtoM application without a 
        significant decrease in performance while the AIP is downloading

Image 1.png (157 KB) Steve Breker, 08/11/2020 07:39 PM

Image 2.png (324 KB) Steve Breker, 08/11/2020 07:39 PM

Differing user group security for each download link.png (118 KB) Steve Breker, 09/23/2020 03:16 PM


Subtasks

Bug #13454: Problem: Archivematica "Download File" link does not work...Verified

History

#1 Updated by David Juhasz 10 months ago

  • Estimated time set to 154.00

#2 Updated by Dan Gillean 10 months ago

  • Target version set to Release 2.7.0

#3 Updated by David Juhasz 9 months ago

  • Description updated (diff)

Edit: Remove the download log functionality from the Gherkin scenario, as this functionality was removed from the agreed statement of work.

#5 Updated by Steve Breker 9 months ago

Merged to qa/2.x.

#6 Updated by Steve Breker 9 months ago

Steps for activating/testing/using the AIP download feature:

- Set up AtoM and AM to use DIP upload to create test data
- In AtoM activate the new Storage Service plugin
- Go to AtoM->Settings->Storage service
- Enter the correct connection details for the Storage Service API you are connecting to (See image 1)
- Be sure to set it to 'Enabled'

Browse to a digital object that was created using the DIP Upload feature - download links are located to the right of the object and AIP UUIDs (See image 2).

When these links are clicked a new tab will temporarily open and will remain open until the Storage Service responds to the request. Once the file download begins, the download tab will disappear to be replaced with the download status icon for your browser. The files are saved with the name sent in the Storage Service response. If there is an error with the call to the Storage Service, the error status page will be displayed in this tab.

#7 Updated by Steve Breker 9 months ago

#8 Updated by Steve Breker 9 months ago

By default only Administrator users have access to the download buttons. This can be changed by updating the security.yml file in the plugin folder:

The security.yml file is located here:
plugins/arStorageServicePlugin/modules/arStorageService/config/security.yml

Be sure to update the one in the arStorageService folder and not the settings folder!

Default contents (limited to administrator):

all:
  is_secure: true
  credentials: administrator

Example security file contents with editor and translator groups added:

all:
  is_secure: true
  credentials: [[ administrator, editor, translator ]]

#9 Updated by Steve Breker 9 months ago

Merged and ready for QA

#10 Updated by Evelyn McLellan 8 months ago

Internal QA and client testing conducted on client's internal dev instance.

#11 Updated by Evelyn McLellan 8 months ago

  • Status changed from New to Document
  • Assignee set to Peter Van Garderen

#12 Updated by Peter Van Garderen 8 months ago

See notes for documentation on the PR: https://github.com/artefactual/atom/commit/d8f09deebdef6449a561dd6897501dc09273839d

Note also that in addition to the arStorageServicePlugin being enabled, the arRestApiPlugin also needs to be enabled for this feature.

#13 Updated by Steve Breker 8 months ago

Created new PR to address exception message display:

https://github.com/artefactual/atom/pull/1182

An exception is triggered in the AIP file download class if an underlying AIP record can't be found in the AtoM database. This error message will now correctly display the AIP's UUID.

#14 Updated by Steve Breker 8 months ago

PR 1182 merged to qa/2.x and picked to the client repo.

An exception is triggered in the AIP file download class if an underlying AIP record can't be found in the AtoM database. This error message will now correctly display the AIP's UUID.

This fix is ready for QA.

#15 Updated by Peter Van Garderen 8 months ago

  • Assignee changed from Peter Van Garderen to Steve Breker

As per note #8 above, permissions for the "Download File" and "Download AIP" features are enforced via settings in plugins/arStorageServicePlugin/modules/arStorageService/config/security.yml

However, on the archival description view page, File and AIP UUID values are shown for all authenticated users and, if arStorageServicePlugin is enabled, so are the "Download File" and "Download AIP" hyperlinks, for all authenticated users.

If a user that does not belong to a group identified in the plugins/arStorageServicePlugin/modules/arStorageService/config/security.yml settings clicks on one of these links, they will get a 403 redirect to a "Sorry, you do not have permission to access that page".

Then this user is left to wonder why they were shown and able to click on the hyperlink but do not have access. A better user experience is to only display and activate the "Download File" and "Download AIP" hyperlinks for those users that are members of a group that has this permission as per the security.yml settings (by default administrators only).

#16 Updated by Peter Van Garderen 8 months ago

  • Status changed from Document to In progress

Documentation PR. It assumes Note #15 above has been addressed: https://github.com/artefactual/atom-docs/pull/165

#17 Updated by Steve Breker 8 months ago

CR needed for fix for issue described in Note 15:

https://github.com/artefactual/atom/pull/1196

#18 Updated by Steve Breker 7 months ago

Merged PR 1196.

Hide AIP Download links, refs #13351

This commit fixes an issue where the aip and file download links
were still being displayed for authenticated users even when the
arStorageService security.yml credentials should prevent this.

A check has been added to prevent display of these download links
when a user's group is not in the credentials section of the
arStorageService plugin security.yml file.

By default, the Storage Service's plugin security.yml file sets
access credentials for both AIP download and file download at the
same time using the 'all' wildcard. The security credentials setting
can be configured individually as well - this has the advantage of
being able to control access to the two download links independently.

e.g.: Only administrators can download the full aip; both admin and
editor groups can download the individual file:

download:
  is_secure: true
  credentials: administrator

extractFile:
  is_secure: true
  credentials: [[ editor, administrator ]]

#19 Updated by Steve Breker 7 months ago

Added screen shot of DO Metadata display when a user is in a group that has access to one link only as described in Note 18. The image is from a user in the editor group which has access only to the individual file download link.

#20 Updated by Steve Breker 7 months ago

Cherry picked to the NCTR client repo, stable/2.6.x.

#21 Updated by Peter Van Garderen 7 months ago

  • Status changed from In progress to Verified
  • Assignee changed from Steve Breker to Peter Van Garderen

QA'ed "Hide AIP download links" fix: Fine-grained ``download`` and ``extractFile`` permissions are working as expected. Authenticated user group members that are not included in these settings see the AIP UUID and File UUID but no download links. Unauthenticated (anonymous) users don't see any AIP UUID or File UUID info at all.

PHP-FPM restart not needed for changes to take effect just `php symfony cc`.

Updated docs commit: https://github.com/artefactual/atom-docs/pull/165/commits/fdb3489ada609c18a139a2ca3a4bfde6ab777fb0

Also available in: Atom PDF