invenio icon indicating copy to clipboard operation
invenio copied to clipboard

Published 20 hours ago verified publisher icon inveniosoftware

guest user and records in restricted collection (invenio 1.2)

Open martinkoehler opened this issue 8 years ago • 4 comments

There seems to be a bug in invenio 1.2 When a record is in a public collection in the global collection tree and restricted collection, while the latter is not in the collection tree, but guest is allowed to see records in this collection, this record will not be displayed in search. How to reproduce:

  • Enable ´CFG_WEBSEARCH_VIEWRESTRCOLL_POLICY = ANY`
  • Define a public collection in the collection tree (e.g. Public)
  • Define a restricted collection outside the collection tree (e.g. Unrestricted) with fireroll viewrestrcol allow any
  • Put a record in both collection Now guest user should be able to view the record
  • Search for the record as guest user The record is not displayed

This seemed due to a "short cut" in webuser.py and search_engine.py A quick fix is: in webuser.py

1393,1395d1392
< else: # guest user
< user_info['precached_permitted_restricted_collections'] = get_permitted_restricted_collections(user_info)
<

Which ensures that the user Object of the guest user gets a possible non empty precached_permitted_restricted_collections

In search_engine.py the code wrongly assumes that for a guest user precached_permitted_restricted_collections is always empty. A fix here:


<             permitted_restricted_collections = []
<             ## For guest users that are actually authorized to some restricted
<             ## collection (by virtue of the IP address in a FireRole rule)
<             ## we explicitly build the list of permitted_restricted_collections

---
>             permitted_restricted_collections =  user_info.get('precached_permitted_restricted_collections', [])
>             # For guest users that are actually authorized to some restricted
>             # collection (by virtue of the IP address in a FireRole rule)
>             # we explicitly build the list of permitted_restricted_collections and we make sure that these are used in the search engine`

Note: The code

for coll in colls:
                if collection_restricted_p(coll) and (acc_authorize_action(user_info, 'viewrestrcoll', collection=coll)[0] == 0):
                    permitted_restricted_collections.append(coll)

is not enough, since e.g. the restricted collection "Unrestricted" is not in colls

@tiborsimko and @kaplun: Does it help if I prepare a pull-reqest for this fix?

martinkoehler avatar Jun 15 '16 05:06 martinkoehler

After the changes, is the flag on the left side --"Restricted"-- also correct?

rthieledesy avatar Jun 15 '16 07:06 rthieledesy

The flag is there: It is a consequence of inveniosoftware/invenio#867 IHMO it should honor record_public_p as well (e.g. 786+ if (get_restricted_collections_for_recid(recid, recreate_cache_if_needed=False) and not record_public_p(recid)): NB: record_public_p must be of of course imported again above

martinkoehler avatar Jun 15 '16 17:06 martinkoehler

It seems at least closely related to if not dupe to #3619

aw-bib avatar Jun 17 '16 13:06 aw-bib

The above PR should contain the code by @martinkoehler

aw-bib avatar Jun 21 '16 13:06 aw-bib