Project

General

Profile

Bug #2444

Metacat MN getLogRecords allows public access to logs for read restricted content

Added by Dave Vieglais almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ben Leinfelder
Category:
Metacat
Start date:
2012-03-06
Due date:
% Done:

100%

Milestone:
CCI-1.0.0
Product Version:
*
Story Points:
Sprint:

Description

Metacat MN demo2 appears to allow public access to log records for objects that are read restricted for public.

Example:

export NODE=https://demo2.test.dataone.org/knb/d1/mn
curl -k -s "$NODE/v1/log?start=0&count=3"

<?xml version="1.0" encoding="UTF-8"?>


1
MNodeTierTests.201260152556757.
129.24.0.17
null
CN=testSubmitter,DC=dataone,DC=org
create
2012-02-29T23:25:58.104+00:00
urn:node:DEMO2


2
TierTesting:testObject:RightsHolder_Person.4
129.24.0.17
null
CN=testSubmitter,DC=dataone,DC=org
create
2012-02-29T23:26:38.828+00:00
urn:node:DEMO2


3
TierTesting:testObject:RightsHolder_Group.4
129.24.0.17
null
CN=testSubmitter,DC=dataone,DC=org
create
2012-02-29T23:27:40.255+00:00
urn:node:DEMO2

/d1:log

Requesting system metadata for the object of the second entry:

curl -k https://demo2.test.dataone.org/knb/d1/mn/v1/meta/TierTesting:testObject:RightsHolder_Person.4

<?xml version="1.0" encoding="UTF-8"?>

READ not allowed on TierTesting:testObject:RightsHolder_Person.4

History

#1 Updated by Ben Leinfelder almost 13 years ago

  • Status changed from New to Closed

Now checking for READ permission on each log entry. This could get expensive. Strike that, it WILL be expensive.
For Metacat, we opened up log entries to the public by redacting the IP and user for each entry. We could take the same approach for D1 so that you'd see the partial entries no matter what, but only the CN could view all details of the entries.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)