[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)



Hi John,

Thanks a lot, it works!

I have added the 

                if( $user->has_role( "staff-view" ) )
                {
                        return "ALLOW";
                }

part to security.pl,
and set the 

staff-view role to the user (without the "+")

and it works!  Thank You!

Andras

Andras Holl
Library and Information Centre,
Hungarian Academy of Sciences

>Hi,
>If you look in ~/archives/ARCHIVEID/cfg/cfg.d/security.pl, you will see the ?
>code that checks document permissions.
>I think that it's this block:
>        if( $security eq "staffonly" )
>        {
>                # If you want to finer tune this, you could create
>                # new privs and use them.
>
>                # people with priv editor can read this document...
>                if( $user->has_role( "editor" ) )
>                {
>                        return "ALLOW";
>                }
>
>                if( $user->has_role( "admin" ) )
>                {
>                        return "ALLOW";
>                }
>
>                # ...as can the user who deposited it...
>                if( $eprint->has_owner( $user ) )
>                {
>                       return "ALLOW";
>                }
>
>                # ...but nobody else can
>                return "DENY";
>
>        }
>
>That is denying your user the access.
>You may want to re-use the staff-view role in these security checks by adding ?
>something like
>                if( $user->has_role( "staff-view" ) )
>                {
>                        return "ALLOW";
>                }
>
>NB This is untested - I'd check thoroughly before using it.
>
>If you're interested in how EPrints gets to the methods in this file, this ?
>might be useful: ?
>http://wiki.eprints.org/w/Anatomy_of_a_request#EPrint_IDs.2C_Documents_and_EP_TRIGGER_DOC_URL_REWRITE
>The Apache handlers are:
>EPrints::Apache::Auth::authen_doc 
>EPrints::Apache::Auth::authz_doc 
>- which in turn call $doc->permit(...)
> - which leads to
>$c->{can_user_view_document}  and/or $c->{can_request_view_document}
>
>
>Hope that helps!
>Cheers,
>John