Bug #8156

OAI-PMH Identity exposes all admin email addresses

Added by Dan Gillean about 7 years ago. Updated about 7 years ago.

Status:VerifiedStart date:03/27/2015
Priority:HighDue date:
Assignee:Dan Gillean% Done:

0%

Category:OAI-PMHEstimated time:4.00 hours
Target version:Release 2.2.0
Google Code Legacy ID: Tested version:2.2
Sponsored:No Requires documentation:

Description

To reproduce
  • As an unauthenticated user (logged out) submit the OAI identify verb to your AtoM site by manipulating the URL - e.g.
    http://qa-22x.test.artefactual.com/;oai?verb=Identify
    
Resulting error
  • AtoM's OAI-PMH response exposes all administrator email addresses.
  • There is no way to configure or limit this exposure

Screenshot attached.

Expected result
AtoM's OAI-PMH module needs to return at least one administrator contact in the request, according to the OAI-PMH protocol (http://www.openarchives.org/OAI/2.0/openarchivesprotocol.htm#Identify). However, users should have the option as to which email addresses are returned.

David's proposal is to add a field to the OAI repository settings page, that allows users to enter 1 or more admin email addresses. He proposes a simple text field where multiple values can be comma-delimited.

Proposed tooltip for the field:

"Enter the email address(es) of at least one administrator for the repository. Multiple addresses can be entered, separated by commas. The address(es) will be exposed as part of a response to an Identify request."

Assigning to David J for triage.

oai-identify.png (49 KB) Dan Gillean, 03/27/2015 09:29 AM

History

#1 Updated by Dan Gillean about 7 years ago

  • Assignee changed from David Juhasz to Mike Cantelon
  • Target version set to Release 2.2.0

#2 Updated by Dan Gillean about 7 years ago

  • Assignee changed from Mike Cantelon to José Raddaoui Marín
  • Estimated time set to 4.00

Reassigned to Radda.

#3 Updated by Mike Cantelon about 7 years ago

I did a bit of work on this at dev/issue-8156-oai-admin-emails. I've added an admin emails field but it's complaining, when I save, so another tweak likely needs to be made somewhere.

#4 Updated by José Raddaoui Marín about 7 years ago

  • Status changed from New to Code Review
  • Assignee changed from José Raddaoui Marín to Mike Cantelon

PR 133

#5 Updated by Mike Cantelon about 7 years ago

  • Status changed from Code Review to Feedback
  • Assignee changed from Mike Cantelon to José Raddaoui Marín

OK, code looks good other than a couple of minor issues!

#6 Updated by José Raddaoui Marín about 7 years ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from José Raddaoui Marín to Dan Gillean

Thanks Mike!

#7 Updated by Dan Gillean about 7 years ago

  • Status changed from QA/Review to Verified

Works well! Tested with 0, 1, 2, and 3 email addresses entered - works in all cases.

Notes for the future:
There is currently no validation set on the field. Meaning:
  • A user can leave this empty without receiving any indication that the OAI-PMH requires at least one email per repository to be included in the request.
  • garbage data, partial emails, etc can be entered, and will still appear in the <adminEmail> element as part of the response, e.g.
    <adminEmail>admin@example.com</adminEmail>
    <adminEmail>second-admin@</adminEmail>
    <adminEmail>third-email</adminEmail>
    

A possible enhancement for the future might be put some validation on this field, and possibly introduce a separate, repeating field per email address for better validation. All that can be dealt with in a future ticket if it becomes relevant.

#8 Updated by Dan Gillean about 7 years ago

  • Private changed from Yes to No

Also available in: Atom PDF