"File Downloader" role: should not allow users to access "unpublished" data, should not send link to user if role assigned but data unpublished #2645
Comments
|
Changed this to Critical - needs to be fixed in the next patch. |
|
reproduced in Demo site: @pdurbin in demo...when I am notified I have been given "file downloaded access" there is a link to the dataset---but that link also throws an error. seems like another bug. If a user gets a role, gets a link, the link should work if they are logged in. Not sure how to report this.
|
|
It looks like I can reproduce this on my laptop in the 4.3 branch (I'm on commit ea290e4). Here's the "spruce" user giving access to a restricted file to the "finch" user:
Then "finch" logs in and clicks on either "trees.png" or "Spruce Goose" from MyData...
... and gets an error when trying to go to http://localhost:8080/dataset.xhtml?persistentId=doi:10.5072/FK2/QBQGQG
|
The existing isDownloadButtonAvailable method has been modified to call the new isAbleToDownloadAnyFileInWorkingVersion which is identical.
|
I pushed 8f0549a to a new branch as a proposed fix. Ideally it would be code reviewed. I'll see if @sekmiller or @raprasad or @scolapasta is available. |
|
@scolapasta I'm passing this ticket to you to review the summary of my conversation with @sekmiller (and the commit itself) at 8f0549a and decide if we should merge the fix as-is or not. |
|
@scolapasta @pdurbin @eaquigley if "file downloaders" shoudn't access unpublished, that needs to be made clear here too as there is no reference to "published/unpublished" in these descriptions
|
sbarbosadataverse
changed the title
|
I updated the issue title to fit the actual bug. Did I miss anything? |
related to #2645. updated description of role to show it is for published files only.
|
Updated the json file for this role description (forget it was in json not bundle) |
@eaquigley please check out the comment I left on that commit you just made: c8e49f2 . The tl;dr is that someone with the "File Downloader" role is able to download files even if they are not published. |
|
@eaquigley basically, I think we should revert c8e49f2 since it misrepresents how the system actually behaves.
@sbarbosadataverse you changed the title to '"File Downloader" role: should not allow users to access "unpublished" data, should not send link to user if role assigned but data unpublished' which more or less makes sense but to make this more clear and actionable for a developer, let me try to express it this way:
|
|
Right now there's no mechanism by which we can delay the sending of a notification. We can add it and then have the publish command check to see if there are pending file downloader notifications waiting to be sent. Are there any other circumstances under which it would be appropriate/necessary to delay the sending of a notification? |
|
This case in particular. File downloader itself is for "published" data. If On Fri, Oct 16, 2015 at 10:36 AM, Stephen Kraffmiller <
Sonia Barbosa Dataverse 4.0 is now available for use! All test dataverses should be created in 4.0 Demo! Join our Dataverse Community! |
@sbarbosadataverse no, it's not. That's why I'm arguing that c8e49f2 should be reverted because saying that the file dowloader role only applies to published data is a misrepresentation of that role given how the code works today. I gave demos of this yesterday and explained how if you know the file id you can download unpublished files if you have the file downloader role: c8e49f2 |
|
@sekmiller yes, when we bring embargoed datasets in as a functionality, we would need a delayed notification sent to someone if they have "subscribed" to the dataset to let them know it has been released. @pdurbin @sbarbosadataverse I think this ticket is getting a bit long winded and I should create tickets based off the email with the 5 issues in it that i sent yesterday. we also need a ticket for the file ID downloading bug @pdurbin mentioned. |
@sbarbosadataverse I wanted to confirm with @scolapasta that the code isn't working as desired, which he did, so I created #2648 about the bug that if you know the file id and have the DownloadFile permission you can download files when they haven't been published. |
@scolapasta and I discussed this and we decided that what should happen is that MyData should not show the cards in the first place. I created a separate issue about this: #2649. |
@eaquigley yes, please create more issues. These are the three I've already created for this issue:
Some of the issues you emailed about feel like post 4.2.1 issues to me since 4.2.1 is about performance and stability. We should definitely capture the ideas, though! If an FRD is better, that's fine too. I'm giving this issue to you @eaquigley to decide how best to capture those ideas. Please pass this back to @kcondon when you're done. |
|
@eaquigley captured many ideas in a variety of issues (thanks!):
@kcondon I'm passing this to QA to decide what to do with this issue. In my opinion, if #2654 and #2649 pass QA, that's enough to reply to the user in https://help.hmdc.harvard.edu/Ticket/Display.html?id=228447 to say that the bugs have been fixed. I'm still planning to work on #2648 for 4.2.1 but it's not really the bug reported by the user; it's a bug I discovered while poking around in this code. Since it's security-related I think it's worth looking at. |
|
@pdurbin @eaquigley @scolapasta @sbarbosadataverse @sekmiller |
I'm just noting here that since we didn't go with this fix I'm deleting the branch it was in: 2645-file-downloader-view-dataset |
RT ticket: https://help.hmdc.harvard.edu/Ticket/Display.html?id=228447
user reported he has file downloader role, but when he clicks on dataset name gets an error page.
I gave myself the same role with a non superuser account and I get the same error.
when you login you see the dataset is : draft unpublished file downloader clearly labeled
attempting to access throws error: NOT AUTHORIZED
The text was updated successfully, but these errors were encountered: