OAI-PMH Identity exposes all admin email addresses
|Assignee:||Dan Gillean||% Done:|
|Category:||OAI-PMH||Estimated time:||4.00 hours|
|Target version:||Release 2.2.0|
|Google Code Legacy ID:||Tested version:||2.2|
- As an unauthenticated user (logged out) submit the OAI identify verb to your AtoM site by manipulating the URL - e.g.
- AtoM's OAI-PMH response exposes all administrator email addresses.
- There is no way to configure or limit this exposure
AtoM's OAI-PMH module needs to return at least one administrator contact in the request, according to the OAI-PMH protocol (http://www.openarchives.org/OAI/2.0/openarchivesprotocol.htm#Identify). However, users should have the option as to which email addresses are returned.
David's proposal is to add a field to the OAI repository settings page, that allows users to enter 1 or more admin email addresses. He proposes a simple text field where multiple values can be comma-delimited.
Proposed tooltip for the field:
"Enter the email address(es) of at least one administrator for the repository. Multiple addresses can be entered, separated by commas. The address(es) will be exposed as part of a response to an Identify request."
Assigning to David J for triage.
#7 Updated by Dan Gillean about 7 years ago
- Status changed from QA/Review to Verified
Works well! Tested with 0, 1, 2, and 3 email addresses entered - works in all cases.Notes for the future:
There is currently no validation set on the field. Meaning:
- A user can leave this empty without receiving any indication that the OAI-PMH requires at least one email per repository to be included in the request.
- garbage data, partial emails, etc can be entered, and will still appear in the <adminEmail> element as part of the response, e.g.
<adminEmail>email@example.com</adminEmail> <adminEmail>second-admin@</adminEmail> <adminEmail>third-email</adminEmail>
A possible enhancement for the future might be put some validation on this field, and possibly introduce a separate, repeating field per email address for better validation. All that can be dealt with in a future ticket if it becomes relevant.