invenio-app-rdm Secret Links: Share Links Feature Not Working for Restricted Records in Restricted Communities

Secret Links: Share Links Feature Not Working for Restricted Records in Restricted Communities

Open Samk13 opened this issue 1 year ago • 9 comments

Package version (if known): V12rc2

Describe the bug

The share links feature on a restricted record does not work for both unauthenticated and authenticated users.

Steps to Reproduce

Create a restricted record in a restricted community and publish it / or save the draft.
Go to share -> links -> create a new link -> copy the link.
Open an incognito window and paste the link -> see permission required.
Login as a new user and try to open the link -> still see permission required.

Expected behavior

The link should open the restricted record for users with the correct permissions.

Jun 19 '24 15:06 Samk13

Related to https://github.com/inveniosoftware/invenio-app-rdm/issues/2694

Jun 19 '24 15:06 Samk13

ping @anikachurilova, can you please try to reproduce this issue?

Jun 25 '24 21:06 ntarocco

@Samk13 Thank you for reporting this! Indeed, the problem exists if restricted record is being a part of a restricted community. The reason is that to have any kind of access to a restricted record of a restricted community, having a secret link is not enough, the user have to be also a member of this community with a role that allows them the corresponding access. So in this case, secret link permission allows seeing the record, but community restriction forbids it, as a result there is a 403 error.

Expected behavior: authorized, as well as guest users have access to the record with a secret link independently of the community. However, community name should not be displayed on the landing page of a record for users that are not members (TBD).

Jun 26 '24 12:06 anikachurilova

for v12 we put that into known limitations