[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[EP-tech] IP Based access on restricted documents
- Subject: [EP-tech] IP Based access on restricted documents
- From: drn at ecs.soton.ac.uk (David R Newman)
- Date: Mon, 18 Jan 2021 17:43:10 +0000
- In-reply-to: <CAAZXAPF=eKcxm_fjzGL0V5L1yAgLW4tKmVYBJxRDEBU6kR7zuA@mail.gmail.com>
- References: <CAAZXAPH2nQjq33SpKiu-Jqr=u53MeQ8hyP0UjpEG8UsU+w4i=A@mail.gmail.com> <EMEW3|a33f714b23de54147f3529658f912456x0HDkW14eprints-tech-bounces|ecs.soton.ac.uk|CAAZXAPH2nQjq33SpKiu-Jqr=u53MeQ8hyP0UjpEG8UsU+w4i=A@mail.gmail.com> <2d57d5cc-43a3-489e-403b-a83da75ab192@ecs.soton.ac.uk> <CAAZXAPF=eKcxm_fjzGL0V5L1yAgLW4tKmVYBJxRDEBU6kR7zuA@mail.gmail.com> <9f685057-19f2-aa74-0a01-c634f37f1c9d@ecs.soton.ac.uk>
Hi Raja,
The logic to check whether someone has access to a document is as follows:
?if( $priv eq "document/view" )
??????? {
??????????????? my $r;
??????????????? if( defined $user )
??????????????? {
??????????????????????? $r = $self->{session}->call(
"can_user_view_document",
??????????????????????????????????????? $self,
??????????????????????????????????????? $user
??????????????????????????????? );
??????????????????????? return 1 if $r eq "ALLOW";
??????????????????????? return 0 if $r eq "DENY";
??????????????????????? EPrints->abort( "can_user_view_document
returned '$r': expected ALLOW or DENY" );
??????????????? }
??????????????? else
??????????????? {
??????????????????????? $r = $self->{session}->call(
"can_request_view_document",
??????????????????????????????????????? $self,
$self->{session}->{request}
??????????????????????????????? );
??????????????????????? return 1 if $r eq "ALLOW";
??????????????????????? return 0 if $r eq "DENY" || $r eq "USER";
??????????????????????? EPrints->abort( "can_request_view_document
returned '$r': expected ALLOW, DENY or USER" );
??????????????? }
??????? }
If the code you provides within the configuration option
$c->{can_user_view_document} or $c->{can_request_view_document}.? If it
is the former (i.e. can_user...) then the only valid options are ALLOW
or DENY.? USER is only valid for the can_request_view_document and even
there it not intended to be used to give access to documents (this
should only ever be ALLOW), it just prevent an abort.? I have to admit I
don't know what the purpose of USER as a return value is, I think it may
still be there for legacy reasons.? Therefore, I would change you code
where it says USER and set this to ALLOW inside both the code blocks for
$c->{can_user_view_document} and $c->{can_request_view_document}.
Also, I have fixed a known bug with the
perl_lib/EPrints/DataObj/Document.pm to deal with permission issues when
you have been given access through "Request a Copy" but are also logged
in as a user but without the permissions to access the requested
document.? The new code to be releases in 3.4.3 can be found at:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fblob%2Fmaster%2Fperl_lib%2FEPrints%2FDataObj%2FDocument.pm&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xHenUqu%2B1aQsQNZSQbX7Yn%2BwOdwhHCG8uXrSH3ytW1s%3D&reserved=0
Regards
David Newman
On 18/01/2021 17:16, RAJA VISHWA wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> Hi David,
> I just did the following code. But no luck.
> /? ? my $ip = $doc->repository->remote_ip();
> ? ? ? ? ?my( $res, $passwd_sent ) = $r->get_basic_auth_pw;
> ? ? ? ? ?my( $user_sent ) = $r->user;
> ? ? ? ? ?if( defined $user_sent )
> ? ? ? ? ?{
> ? ? ? ? ? ? ? ? if( $user_sent eq "foo" && $passwd_sent eq "bar" )
> ? ? ? ? ? ? ? ? {
> ? ? ? ? ? ? ? ? ? ? ? ? return "ALLOW";
> ? ? ? ? ? ? ? ? }
> ? ? ? ? ? ? ? ? return a 403.
> ? ? ? ? ? ? ? ? $r->note_basic_auth_failure;
> ? ? ? ? ? ? ? ? return "DENY";
> ? ? ? ? ?}
> ? ? ? ? ?my( $oncampus ) = 0;
> ? ? ? ? ?$oncampus = 1 if( $ip eq "my_campus_ip" );
> ? ? ? ?return( "USER" ) if( $security eq "campus_and_validuser" &&
> $oncampus );
> ? ? ? ? ?return( "ALLOW" ) if( $security eq "campus_or_validuser" &&
> $oncampus );
> ? ? ? ? ?return( "ALLOW" ) if( $security eq "campus" && $oncampus );
> ? ? ? ? return( "USER" );/
>
> On Mon, Jan 18, 2021 at 7:29 PM David R Newman <drn at ecs.soton.ac.uk
> <mailto:drn at ecs.soton.ac.uk>> wrote:
>
> Hi Raja,
>
> Yes, there should be settings for this in your archive's
> cfg/cfg.d/security.pl
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gAEaYzffXdPRUD05kGB2P7QXcD4nNEfwzIA5W%2Bbp4Ug%3D&reserved=0>.
> Be careful to make sure you the function to lookup the IP addess
> looks like:
>
> my $ip = $eprint->repository->remote_ip();
>
> As the older way of doing this breaks in recent versions of Apache
> and can make documents publicly accessible you would not otherwise
> intend to be.
>
> Regards
>
> David Newman
>
> On 18/01/2021 13:43, RAJA VISHWA via Eprints-tech wrote:
>> *CAUTION:* This e-mail originated outside the University of
>> Southampton.
>> Dear Team,
>>
>> Is it possible to allow restricted document access from the
>> institution's IP?
>>
>> For example, any request is coming from Institution IP ranges
>> shall we allow them to access the protected content without
>> authentication?
>>
>> I just try to configure the file which available? (
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_User_Group_2015-01-13&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4Q9yMlmSXXTP7w0nzWG16bZ7bEtD%2BUssSMmsI6u5Xr0%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_User_Group_2015-01-13&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4Q9yMlmSXXTP7w0nzWG16bZ7bEtD%2BUssSMmsI6u5Xr0%3D&reserved=0>)
>> at /opt/eprints3/archives/xxx/cfg/cfg.d/security.pl
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gAEaYzffXdPRUD05kGB2P7QXcD4nNEfwzIA5W%2Bbp4Ug%3D&reserved=0>.
>> But no luck.
>>
>> Could anyone help me out?
>>
>> Thanks,
>> Raja V
>>
>> *** Options:http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
>> *** Archive:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951357025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=edAAlncW4vpcaUbx1u%2BJnrw%2BEmk3vyb%2FfaXzDkhHyKY%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=P66VOypggXx8XZTM9i2XvAJgz1lLM93NPZojqI8R4cc%3D&reserved=0>
>> *** EPrints community wiki:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Cl10RWubsl%2BwED6yLg4Kc6JGOZyYNzId7rBD6V01Qg0%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Cl10RWubsl%2BwED6yLg4Kc6JGOZyYNzId7rBD6V01Qg0%3D&reserved=0>
>
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rTdStJUCQ3vV6aDmOHseytm2cWKLKlwWvouVtVF4sko%3D&reserved=0>
> Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GKsK%2BiFRP5rKfXuMgdy6jGFW208nCwRytEPqtIjZa8g%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rTdStJUCQ3vV6aDmOHseytm2cWKLKlwWvouVtVF4sko%3D&reserved=0>
>
>
>
>
> --
> Thanks with Regards,
> Raja V
--
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C2aa0aea5aee242635bb908d8bbd8874a%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637465885951366981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zBHjn0wc1hQ%2Bb7ROUbR2Ue9wDbyx4K2ZH58t%2FMBUroM%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210118/d94022fc/attachment-0001.html