core-geonetwork icon indicating copy to clipboard operation
core-geonetwork copied to clipboard

Published 20 hours ago verified publisher icon geonetwork

Enhance the workflowAssistApps so that third party links can have a check access url

Open ianwallen opened this issue 1 year ago • 3 comments

Enhance the workflowAssistApps so that third party links have a check url which can be used to decide if the link should be displayed to the user or not.

We require this option so that we can have it call a check url on our third party app to decide if the user has access to the link that we added. Otherwise some users are clicking on the link just to get an access denied page.

It adds the appAccessCheckUrl and it will follow this rule.

  • If the appAccessCheckUrl exists then it will call it and check for success. If success then the link will be displayed.
  • If it does return a success then it does an extra check for false values - i.e. 0, no, false.... If that was returned from the call then it will not display the link.
  • And if the appAccessCheckUrl does not exist then it will always be displayed.

Here is a sample that was used for testing.

{
  "mods": {
    "workflowHelper": {
      "enabled": true,
      "workflowAssistApps": [
        {
          "appUrl": "https://www.google.ca/search?q={uuid}",
          "appLabelKey": "testkey",
          "appAccessCheckUrl": ""
        },
        {
          "appUrl": "https://www.google.ca/search?q={uuid}",
          "appLabelKey": "testkey2",
          "appAccessCheckUrl": "https://www.google.ca"
        },
        {
          "appUrl": "https://www.google.ca/search?q={uuid}",
          "appLabelKey": "testkey3",
          "appAccessCheckUrl": "https://www.bad.ca"
        }
      ]
    }
  }
}

It produces the following configuration.

image

And when viewing a metadata record, selecting image

In this case testkey3 is not displayed because www.bad.ca returns an http 500 error.

ianwallen avatar Apr 14 '23 18:04 ianwallen

My feedback after consideration - this approach makes me uncomfortable because it is a baked in SSRF as a feature.

If possible I would love to make a request from the security subsystem for a set of "roles", and change the check to a list of spring-security "roles".

jodygarnett avatar Sep 21 '23 15:09 jodygarnett

In GN 4 there is a new page api. It seems like the page api may be a better approach so I will investigate the page api to see if we can achieve the same results.

ianwallen avatar Feb 02 '24 02:02 ianwallen

Hopefully the same logic can be achieved using the page api's

These PR's may replace this one.

  • Group restrictions https://github.com/geonetwork/core-geonetwork/pull/7707
  • Adding static pages to metadata menu https://github.com/geonetwork/core-geonetwork/pull/7802

ianwallen avatar Apr 02 '24 16:04 ianwallen