[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] IP Based access on restricted documents



Hi Raja,

The logic to check whether someone has access to a document is as follows:

 ?if( $priv eq "document/view" )
 ??????? {
 ??????????????? my $r;
 ??????????????? if( defined $user )
 ??????????????? {
 ??????????????????????? $r = $self->{session}->call( 
"can_user_view_document",
 ??????????????????????????????????????? $self,
 ??????????????????????????????????????? $user
 ??????????????????????????????? );
 ??????????????????????? return 1 if $r eq "ALLOW";
 ??????????????????????? return 0 if $r eq "DENY";
 ??????????????????????? EPrints->abort( "can_user_view_document 
returned '$r': expected ALLOW or DENY" );
 ??????????????? }
 ??????????????? else
 ??????????????? {
 ??????????????????????? $r = $self->{session}->call( 
"can_request_view_document",
 ??????????????????????????????????????? $self,
$self->{session}->{request}
 ??????????????????????????????? );
 ??????????????????????? return 1 if $r eq "ALLOW";
 ??????????????????????? return 0 if $r eq "DENY" || $r eq "USER";
 ??????????????????????? EPrints->abort( "can_request_view_document 
returned '$r': expected ALLOW, DENY or USER" );
 ??????????????? }
 ??????? }

If the code you provides within the configuration option 
$c->{can_user_view_document} or $c->{can_request_view_document}.? If it 
is the former (i.e. can_user...) then the only valid options are ALLOW 
or DENY.? USER is only valid for the can_request_view_document and even 
there it not intended to be used to give access to documents (this 
should only ever be ALLOW), it just prevent an abort.? I have to admit I 
don't know what the purpose of USER as a return value is, I think it may 
still be there for legacy reasons.? Therefore, I would change you code 
where it says USER and set this to ALLOW inside both the code blocks for 
$c->{can_user_view_document} and $c->{can_request_view_document}.

Also, I have fixed a known bug with the 
perl_lib/EPrints/DataObj/Document.pm to deal with permission issues when 
you have been given access through "Request a Copy" but are also logged 
in as a user but without the permissions to access the requested 
document.? The new code to be releases in 3.4.3 can be found at:

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fblob%2Fmaster%2Fperl_lib%2FEPrints%2FDataObj%2FDocument.pm&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xHenUqu%2B1aQsQNZSQbX7Yn%2BwOdwhHCG8uXrSH3ytW1s%3D&reserved=0

Regards

David Newman


On 18/01/2021 17:16, RAJA VISHWA wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> Hi David,
> I just did the following code. But no luck.
> /? ? my $ip = $doc->repository->remote_ip();
> ? ? ? ? ?my( $res, $passwd_sent ) = $r->get_basic_auth_pw;
> ? ? ? ? ?my( $user_sent ) = $r->user;
> ? ? ? ? ?if( defined $user_sent )
> ? ? ? ? ?{
> ? ? ? ? ? ? ? ? if( $user_sent eq "foo" && $passwd_sent eq "bar" )
> ? ? ? ? ? ? ? ? {
> ? ? ? ? ? ? ? ? ? ? ? ? return "ALLOW";
> ? ? ? ? ? ? ? ? }
> ? ? ? ? ? ? ? ? return a 403.
> ? ? ? ? ? ? ? ? $r->note_basic_auth_failure;
> ? ? ? ? ? ? ? ? return "DENY";
> ? ? ? ? ?}
> ? ? ? ? ?my( $oncampus ) = 0;
> ? ? ? ? ?$oncampus = 1 if( $ip eq "my_campus_ip" );
> ? ? ? ?return( "USER" ) if( $security eq "campus_and_validuser" && 
> $oncampus );
> ? ? ? ? ?return( "ALLOW" ) if( $security eq "campus_or_validuser" && 
> $oncampus );
> ? ? ? ? ?return( "ALLOW" ) if( $security eq "campus" && $oncampus );
> ? ? ? ? return( "USER" );/
>
> On Mon, Jan 18, 2021 at 7:29 PM David R Newman <drn at ecs.soton.ac.uk 
> <mailto:drn at ecs.soton.ac.uk>> wrote:
>
>     Hi Raja,
>
>     Yes, there should be settings for this in your archive's
>     cfg/cfg.d/security.pl
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=gAEaYzffXdPRUD05kGB2P7QXcD4nNEfwzIA5W%2Bbp4Ug%3D&amp;reserved=0>.
>     Be careful to make sure you the function to lookup the IP addess
>     looks like:
>
>     my $ip = $eprint->repository->remote_ip();
>
>     As the older way of doing this breaks in recent versions of Apache
>     and can make documents publicly accessible you would not otherwise
>     intend to be.
>
>     Regards
>
>     David Newman
>
>     On 18/01/2021 13:43, RAJA VISHWA via Eprints-tech wrote:
>>     *CAUTION:* This e-mail originated outside the University of
>>     Southampton.
>>     Dear Team,
>>
>>     Is it possible to allow restricted document access from the
>>     institution's IP?
>>
>>     For example, any request is coming from Institution IP ranges
>>     shall we allow them to access the protected content without
>>     authentication?
>>
>>     I just try to configure the file which available? (
>>     https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_User_Group_2015-01-13&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4Q9yMlmSXXTP7w0nzWG16bZ7bEtD%2BUssSMmsI6u5Xr0%3D&amp;reserved=0
>>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_User_Group_2015-01-13&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4Q9yMlmSXXTP7w0nzWG16bZ7bEtD%2BUssSMmsI6u5Xr0%3D&amp;reserved=0>)
>>     at /opt/eprints3/archives/xxx/cfg/cfg.d/security.pl
>>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=gAEaYzffXdPRUD05kGB2P7QXcD4nNEfwzIA5W%2Bbp4Ug%3D&amp;reserved=0>.
>>     But no luck.
>>
>>     Could anyone help me out?
>>
>>     Thanks,
>>     Raja V
>>
>>     *** Options:http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech  <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
>>     *** Archive:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=edAAlncW4vpcaUbx1u%2BJnrw%2BEmk3vyb%2FfaXzDkhHyKY%3D&amp;reserved=0  <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=P66VOypggXx8XZTM9i2XvAJgz1lLM93NPZojqI8R4cc%3D&amp;reserved=0>
>>     *** EPrints community wiki:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Cl10RWubsl%2BwED6yLg4Kc6JGOZyYNzId7rBD6V01Qg0%3D&amp;reserved=0  <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Cl10RWubsl%2BwED6yLg4Kc6JGOZyYNzId7rBD6V01Qg0%3D&amp;reserved=0>
>
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=rTdStJUCQ3vV6aDmOHseytm2cWKLKlwWvouVtVF4sko%3D&amp;reserved=0>
>     	Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GKsK%2BiFRP5rKfXuMgdy6jGFW208nCwRytEPqtIjZa8g%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=rTdStJUCQ3vV6aDmOHseytm2cWKLKlwWvouVtVF4sko%3D&amp;reserved=0>
>
>
>
>
> -- 
> Thanks with Regards,
> Raja V


-- 
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=zBHjn0wc1hQ%2Bb7ROUbR2Ue9wDbyx4K2ZH58t%2FMBUroM%3D&amp;reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210118/d94022fc/attachment-0001.html