[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)

Subject: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
From: J.Salter at leeds.ac.uk (John Salter)
Date: Thu, 1 Oct 2015 12:31:10 +0000
In-reply-to: <EMEW3|1c84c8500a265074441fa0ba5280c8bbr90D8s14eprints-tech-bounces|ecs.soton.ac.uk|20151001115949.M88711@konkoly.hu>
References: <mailman.17.1443697208.26848.eprints-tech@ecs.soton.ac.uk> <EMEW3|e2cb318ef9e5b03b6534f345c1dfe433r90C0d14eprints-tech-bounces|ecs.soton.ac.uk|mailman.17.1443697208.26848.eprints-tech@ecs.soton.ac.uk> <20151001115949.M88711@konkoly.hu> <EMEW3|1c84c8500a265074441fa0ba5280c8bbr90D8s14eprints-tech-bounces|ecs.soton.ac.uk|20151001115949.M88711@konkoly.hu>

Hi,
If you look in ~/archives/ARCHIVEID/cfg/cfg.d/security.pl, you will see the code that checks document permissions.
I think that it's this block:
        if( $security eq "staffonly" )
        {
                # If you want to finer tune this, you could create
                # new privs and use them.

                # people with priv editor can read this document...
                if( $user->has_role( "editor" ) )
                {
                        return "ALLOW";
                }

                if( $user->has_role( "admin" ) )
                {
                        return "ALLOW";
                }

                # ...as can the user who deposited it...
                if( $eprint->has_owner( $user ) )
                {
                        return "ALLOW";
                }

                # ...but nobody else can
                return "DENY";

        }

That is denying your user the access.
You may want to re-use the staff-view role in these security checks by adding something like
                if( $user->has_role( "staff-view" ) )
                {
                        return "ALLOW";
                }

NB This is untested - I'd check thoroughly before using it.

If you're interested in how EPrints gets to the methods in this file, this might be useful: http://wiki.eprints.org/w/Anatomy_of_a_request#EPrint_IDs.2C_Documents_and_EP_TRIGGER_DOC_URL_REWRITE
The Apache handlers are:
EPrints::Apache::Auth::authen_doc 
EPrints::Apache::Auth::authz_doc 
- which in turn call $doc->permit(...)
 - which leads to
$c->{can_user_view_document}  and/or $c->{can_request_view_document}


Hope that helps!
Cheers,
John

-----Original Message-----
From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Andras Holl
Sent: 01 October 2015 13:08
To: eprints-tech at ecs.soton.ac.uk
Subject: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)


Hi,

Unfortunately does not work either of those options, with or without the +.
What I would need is access to the full text - this gives

Forbidden

You don't have permission to access /29341/1/BorsosDevBiol.pdf on this server.

error message.

Andras

> 
> Message: 4
> Date: Thu, 1 Oct 2015 10:57:56 +0100
> From: "Field A.N." <af05v at ecs.soton.ac.uk>
> Subject: [EP-tech] Re: Creating a read-only (but read everyting in 
> the 	archive) user To: eprints-tech at ecs.soton.ac.uk Message-ID: 
> <A5C4C686-599B-47ED-8BE9-03D708E5A83C at ecs.soton.ac.uk> Content-Type: 
> text/plain; charset=us-ascii
> 
> The 'staff-view' role appears to be what you're looking for ( 
>
https://github.com/eprints/eprints/blob/3.3/perl_lib/EPrints/DataObj/User.pm#L1088
)
> 
> If you edit the user record in question, and add:
> 
> 	+staff-view
> 
> ...to the 'Roles' field.  If that doesn't work, try again, but 
> without the '+' and report back so that I now which one works.
> 
> --
> Adam Field
> Business Relationship Manager and Community Lead
> EPrints Services
> +44 (0)23 8059 8814
> 
> On 30 Sep 2015, at 05:28, Andras Holl wrote:
> 
> > 
> > 
> > Dear Colleagues!
> > 
> > How can I create an EPrints user who is capable of reading every
> > document in the archive (accepted, on-line documents), even those
> > restricted to "repository staff only", but can not change anything?
> > No upload, no delete, no moving items from review to archive, etc.
> > 
> > With best regards, Andras Holl
> > 
> > Library and Information Centre, Hungarian Academy of Sciences
> > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> > *** Archive: http://www.eprints.org/tech.php/
> > *** EPrints community wiki: http://wiki.eprints.org/
> > *** EPrints developers Forum: http://forum.eprints.org/
> 
> ------------------------------


--------------------------------------------------------------------------------
Andras Holl / Holl Andras                e-mail: holl at konkoly.hu
Konkoly Observatory / MTA CsFK CsI       Tel.: +36 1 3919368 Fax: +36 1 2754668
IT advisor / Szamitastechn. koordinator  Mail: H1525 POBox 67, Budapest, Hungary
--------------------------------------------------------------------------------

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

References:
- [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
  - From: holl at konkoly.hu (Andras Holl)

Prev by Date: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
Next by Date: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
Previous by thread: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
Next by thread: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
Index(es):
- Date
- Thread