[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
- Subject: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
- From: J.Salter at leeds.ac.uk (John Salter)
- Date: Thu, 1 Oct 2015 12:31:10 +0000
- In-reply-to: <EMEW3|1c84c8500a265074441fa0ba5280c8bbr90D8s14eprints-tech-bounces|ecs.soton.ac.uk|20151001115949.M88711@konkoly.hu>
- References: <mailman.17.1443697208.26848.eprints-tech@ecs.soton.ac.uk> <EMEW3|e2cb318ef9e5b03b6534f345c1dfe433r90C0d14eprints-tech-bounces|ecs.soton.ac.uk|mailman.17.1443697208.26848.eprints-tech@ecs.soton.ac.uk> <20151001115949.M88711@konkoly.hu> <EMEW3|1c84c8500a265074441fa0ba5280c8bbr90D8s14eprints-tech-bounces|ecs.soton.ac.uk|20151001115949.M88711@konkoly.hu>
Hi,
If you look in ~/archives/ARCHIVEID/cfg/cfg.d/security.pl, you will see the code that checks document permissions.
I think that it's this block:
if( $security eq "staffonly" )
{
# If you want to finer tune this, you could create
# new privs and use them.
# people with priv editor can read this document...
if( $user->has_role( "editor" ) )
{
return "ALLOW";
}
if( $user->has_role( "admin" ) )
{
return "ALLOW";
}
# ...as can the user who deposited it...
if( $eprint->has_owner( $user ) )
{
return "ALLOW";
}
# ...but nobody else can
return "DENY";
}
That is denying your user the access.
You may want to re-use the staff-view role in these security checks by adding something like
if( $user->has_role( "staff-view" ) )
{
return "ALLOW";
}
NB This is untested - I'd check thoroughly before using it.
If you're interested in how EPrints gets to the methods in this file, this might be useful: http://wiki.eprints.org/w/Anatomy_of_a_request#EPrint_IDs.2C_Documents_and_EP_TRIGGER_DOC_URL_REWRITE
The Apache handlers are:
EPrints::Apache::Auth::authen_doc
EPrints::Apache::Auth::authz_doc
- which in turn call $doc->permit(...)
- which leads to
$c->{can_user_view_document} and/or $c->{can_request_view_document}
Hope that helps!
Cheers,
John
-----Original Message-----
From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Andras Holl
Sent: 01 October 2015 13:08
To: eprints-tech at ecs.soton.ac.uk
Subject: [EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)
Hi,
Unfortunately does not work either of those options, with or without the +.
What I would need is access to the full text - this gives
Forbidden
You don't have permission to access /29341/1/BorsosDevBiol.pdf on this server.
error message.
Andras
>
> Message: 4
> Date: Thu, 1 Oct 2015 10:57:56 +0100
> From: "Field A.N." <af05v at ecs.soton.ac.uk>
> Subject: [EP-tech] Re: Creating a read-only (but read everyting in
> the archive) user To: eprints-tech at ecs.soton.ac.uk Message-ID:
> <A5C4C686-599B-47ED-8BE9-03D708E5A83C at ecs.soton.ac.uk> Content-Type:
> text/plain; charset=us-ascii
>
> The 'staff-view' role appears to be what you're looking for (
>
https://github.com/eprints/eprints/blob/3.3/perl_lib/EPrints/DataObj/User.pm#L1088
)
>
> If you edit the user record in question, and add:
>
> +staff-view
>
> ...to the 'Roles' field. If that doesn't work, try again, but
> without the '+' and report back so that I now which one works.
>
> --
> Adam Field
> Business Relationship Manager and Community Lead
> EPrints Services
> +44 (0)23 8059 8814
>
> On 30 Sep 2015, at 05:28, Andras Holl wrote:
>
> >
> >
> > Dear Colleagues!
> >
> > How can I create an EPrints user who is capable of reading every
> > document in the archive (accepted, on-line documents), even those
> > restricted to "repository staff only", but can not change anything?
> > No upload, no delete, no moving items from review to archive, etc.
> >
> > With best regards, Andras Holl
> >
> > Library and Information Centre, Hungarian Academy of Sciences
> > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> > *** Archive: http://www.eprints.org/tech.php/
> > *** EPrints community wiki: http://wiki.eprints.org/
> > *** EPrints developers Forum: http://forum.eprints.org/
>
> ------------------------------
--------------------------------------------------------------------------------
Andras Holl / Holl Andras e-mail: holl at konkoly.hu
Konkoly Observatory / MTA CsFK CsI Tel.: +36 1 3919368 Fax: +36 1 2754668
IT advisor / Szamitastechn. koordinator Mail: H1525 POBox 67, Budapest, Hungary
--------------------------------------------------------------------------------
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/