dspace-angular icon indicating copy to clipboard operation
dspace-angular copied to clipboard

Published 20 hours ago verified publisher icon DSpace

Search function in sidebar menu "Edit" => "Metadata" does not consider user rights

Open f-rapp opened this issue 4 years ago • 3 comments

Describe the bug DSpace 7 When a user clicks "Edit" => "Metadata" in the sidebar menu they get a list of items to search. However, the search function also lists items which the user is not allowed to edit. When the user clicks on such an item he receives the following message: grafik

To Reproduce Steps to reproduce the behavior:

  1. Create a new user with no special rights.
  2. Log in with this user account.
  3. Click "Edit" => "Metadata" in the sidebar menu.
  4. Click on an item.

Expected behavior The search function should only present items that the user is allowed to edit.

f-rapp avatar Sep 24 '21 08:09 f-rapp

@f-rapp: Think you mean 'Edit' => 'Item' or 'Import'/'Export' > 'Metadata' in the sidebar (since 'Edit' > 'Metadata' isn't an option there, only under Import/Export). Noticed this problem as well.

When you log in as a submitter there is an 'Edit' => 'Item' option in the sidebar which opens the item edit selector, but all items present there are not editable by the submitter (results in 403 forbidden page) The same problem exists for a community and collection admin (idem 'Edit' > 'Collection' shows collections this user can't edit thus resulting in 403 pages).

Additionally for the submitter the 'Import' > 'Metadata' option also results in a 403 forbidden page. And the 'Export' > 'Metadata' > Select any item > Results in a failure notification. (Idem for com/col admins, this shows com/col they can't export, and the import page also results in 403)

Also, logged in as supposed comm admin ([email protected]) the 'Edit' > 'Collection' option is shown (containing collections they can't edit), but not the 'Edit' > 'Community'.

MarieVerdonck avatar Oct 18 '21 10:10 MarieVerdonck

Related (loosely) to #1482

tdonohue avatar May 20 '22 21:05 tdonohue

Also related to this email thread: https://groups.google.com/g/dspace-tech/c/-SiQ_LGx_ks/m/pjWrdI4HBQAJ

tdonohue avatar Aug 17 '22 20:08 tdonohue

We'd like to claim this ticket

artlowel avatar Oct 27 '22 14:10 artlowel

@tdonohue we've noticed the same problem occurs when creating or editing Communities/Collections

Since the fix would be almost identical to the one @KoenP wrote for edit+Item, we'd like to expand the scope of this issue and address everything within the existing PR

ybnd avatar Jan 12 '23 15:01 ybnd

@ybnd : It's ok with me to expand the scope here to include the Edit/Create Communities/Collection pages. Whether it should be in the same PR or a separate one may depend on how large the PR becomes (larger PRs obviously can be more difficult to review). That said, it's OK to move forward with additional fixes here.

tdonohue avatar Jan 13 '23 16:01 tdonohue

@tdonohue while expanding this behaviour to Communities & Collections we came to the conclusion that we should take some time to refactor how these sorts of "indexed authorizations" are handled in general.

This is too much for the scope of this PR; a more naive implementation would just lead to a lot of duplicated code now and double work later on.

It's probably best if we look at this in more detail for 7.6

ybnd avatar Jan 20 '23 15:01 ybnd