Add digital object access control
|Assignee:||Mike Gale||% Done:|
|Target version:||Release 2.2.0|
|Google Code Legacy ID:||atom-764||Tested version:||2.2|
access the digital objects via the appropriate digitalobject/actions. this
prevents users from accessing the uploads directory directly
[g] Legacy categories: User management
#7 Updated by Anonymous about 11 years ago
/p/qubit-toolkit/issues/detail?id=764/1255 is a security issue. Using the Symfony default configuration digital objects are currently posted to the /upload directory under the public web directory. We want to move the upload directory to a more secure /data directory outside of the public web directory. The reason that it has been delayed is that it is technically complex (namely digital files will now likely have to get serialized through PHP) and will require some time to implement and test. We haven't been able to secure funding for that time yet.
This comment is taken from an email exchange between Tim H. and Peter VG. on 2011.03.11
[g] New owner: David Juhasz
#10 Updated by Jesús García Crespo over 10 years ago
- Subject set to Add digital object access control
#14 Updated by David Juhasz over 7 years ago
- Status changed from New to QA/Review
- Assignee changed from David Juhasz to Sarah Romkey
- Priority changed from Low to Medium
- Target version set to Release 2.2.0
- Sponsored changed from No to Yes
- Requires documentation set to Yes
This enhancement has been added to the dev/2.2.x branch of AtoM, and will be included in the public AtoM 2.2.0 release. Deployment requires web server configuration which will need to be documented.
#17 Updated by Sarah Romkey over 7 years ago
- Start date set to 04/07/2014
- % Done changed from 0 to 100
- Estimated time changed from 40.00 to 460.00
In version 2.2, access control for digital objects will be facilitated through the use of PREMIS rights. Administrators have the option of choosing one PREMIS act/granted right to make "actionable" throughout the database on the digital objects. The administrator can also set whether thumbnails, reference copies, and/or master copies are viewable/downloadable by public users based on Allow, Disallow or Conditional rights applied to the archival description. Note that unlike previous version, rights records are no longer associated directly with digital objects, rather they are associated with the archival description and then actions are placed on the digital objects attached to those archival descriptions.
Included in the development of this feature:
- The replacement of thumbnails with generic icons when viewing thumbnail is disallowed.
- The replacement of reference representations with text (cutomizeable through the user interface by administrators) when viewing reference representations is disallowed.
- Users are unable to navigate directly to restricted digital objects (e.g. by entering the URL directly).
- Rights can be set to inherit or be combined from parent to child, either throughout all child descriptions, or only those with digital objects.
- PREMIS rights template has been upgraded to 2.2.
#18 Updated by Dan Gillean about 7 years ago
- File digi-object-thumbnail.png added
One small thought. Would be nice if we could adjust/resize/reposition the default thumbnail settings when access is denied, so they are not clipped/cropped in the thumbnail preview. See attached screenshot, digi-object-thumbnail.png
#21 Updated by Dan Gillean about 7 years ago
- File rights-settings.png added
- File rights-statements.png added
- File rights-added.png added
- File rights-placeholder.png added
- Status changed from QA/Review to Feedback
- Assignee changed from Sarah Romkey to Mike Gale
Rights statements added in #7339 are not working - and the reference placeholder seems to be showing a generic fallback icon, instead of a mimetype specific one as used for the thumbnail placeholder.Testing steps
- In Admin > Settings > Permissions, set Display as the Act basis, and make sure all Disallow conditions are set to "Disallowed" - see rights-settings.png
- In Admin > Settings > User interface labels, add some custom text to the access_disallow_warning - see rights-statements.png
- Upload or link an image to an archival description
- Add rights to the description via the More button in the button block. Make sure that the act in the rights is Display, and the condition is set to Disallow. Save. See rights-added.png Make sure your description is published as well so you can find it as a public user.
- Log out of the application.
- Go to Browse > Archival descriptions and locate your description. Confirm that the correct placeholder is there instead of the thumbnail (works - cropping issue filed in #8108)
- Navigate to the description
- Instead of displaying the image placeholder icon, a default generic icon is shown
- The disallow statement added to the access_disallow_warning field in the User inteface labels is not displayed
- see: rights-placeholder.png
- User should see the help text added to the access_disallow_warning in the User inteface labels, instead of the image...
- If a placeholder icon is shown, it should be specific to the media - e.g. the image placeholder for an image, as shown for the thumbnail.
#23 Updated by Dan Gillean about 7 years ago
- Status changed from Feedback to Verified