Bug #13437

Problem: Digital object authorization code is too complicated

Added by David Juhasz 6 months ago. Updated 6 months ago.

Status:QA/ReviewStart date:11/06/2020
Priority:MediumDue date:
Assignee:-% Done:


Category:Access Control
Target version:Release 2.7.0
Google Code Legacy ID: Tested version:
Sponsored:No Requires documentation:



Over time the rules for checking a user's authorization to access digital objects has become increasingly complex. In addition to the original QubitAcl access rules for digital objects, the following rules and exceptions have been subsequently added:

  1. An exception to the ACL "readMaster" rule to always allow viewing or downloading PDF documents
  2. PREMIS access rules for public (unauthenticated) users, to limit access to digital object representations based on PREMIS rights and actions associated with an archival description.
  3. An optional conditional copyright notice that is displayed and must be accepted by a public user before they view or download a digital object
  4. Authority record digital objects, with their own simplified access rules

To check each of these additional rules additional authorization checks have been added to every place in the code where authorization is required. This has lead to inconsistent application of the access rules (some rules are checked, but other are not), hard-to read code, and requires extra effort to add and maintain authorization checks.


A digital object authorization check in the clipboard export code (https://github.com/artefactual/atom/blob/qa/2.x/lib/job/arExportJob.class.php#L324-L339)

if (
  && (
    QubitTerm::TEXT_ID == $digitalObject->mediaTypeId
    || (
      'actor' == $this->params['objectType']
      && $this->user->isAuthenticated()
      && QubitAcl::check($resource, 'read')
    ) || (
      'informationObject' == $this->params['objectType']
      && QubitAcl::check($resource, 'readMaster')
      && QubitGrantedRight::checkPremis($resource->id, 'readMaster')
      && !$digitalObject->hasConditionalCopyright()


It should be possible to check all of the digital object authorization rules, for archival descriptions and authority records, with a single authorization function.

Related issues

Related to Access to Memory (AtoM) - Feature #13395: Include digital objects in clipboard exports QA/Review 07/25/2020


#1 Updated by David Juhasz 6 months ago

  • Status changed from New to Code Review
  • Assignee deleted (David Juhasz)

#2 Updated by David Juhasz 6 months ago

  • Description updated (diff)

#3 Updated by David Juhasz 6 months ago

  • Status changed from Code Review to QA/Review

#4 Updated by David Juhasz 6 months ago

  • Related to Feature #13395: Include digital objects in clipboard exports added

Also available in: Atom PDF