Bug #2444
Metacat MN getLogRecords allows public access to logs for read restricted content
100%
Description
Metacat MN demo2 appears to allow public access to log records for objects that are read restricted for public.
Example:
export NODE=https://demo2.test.dataone.org/knb/d1/mn
curl -k -s "$NODE/v1/log?start=0&count=3"
<?xml version="1.0" encoding="UTF-8"?>
1
MNodeTierTests.201260152556757.
129.24.0.17
null
CN=testSubmitter,DC=dataone,DC=org
create
2012-02-29T23:25:58.104+00:00
urn:node:DEMO2
2
TierTesting:testObject:RightsHolder_Person.4
129.24.0.17
null
CN=testSubmitter,DC=dataone,DC=org
create
2012-02-29T23:26:38.828+00:00
urn:node:DEMO2
3
TierTesting:testObject:RightsHolder_Group.4
129.24.0.17
null
CN=testSubmitter,DC=dataone,DC=org
create
2012-02-29T23:27:40.255+00:00
urn:node:DEMO2
/d1:log
Requesting system metadata for the object of the second entry:
curl -k https://demo2.test.dataone.org/knb/d1/mn/v1/meta/TierTesting:testObject:RightsHolder_Person.4
<?xml version="1.0" encoding="UTF-8"?>
READ not allowed on TierTesting:testObject:RightsHolder_Person.4
History
#1 Updated by Ben Leinfelder over 12 years ago
- Status changed from New to Closed
Now checking for READ permission on each log entry. This could get expensive. Strike that, it WILL be expensive.
For Metacat, we opened up log entries to the public by redacting the IP and user for each entry. We could take the same approach for D1 so that you'd see the partial entries no matter what, but only the CN could view all details of the entries.
