Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'extérieur du domaine de concordia.ca

Hi Tomasz,

I am not sure whether these permissions are needed for OAI-PMH, I don't think they are.  However, if you can access the metadata for eprints in the live archive via /cgi/oai2 (e.g. https://pub.demo.eprints-hosting.org/cgi/oai2?verb=GetRecord&metadataPrefix=oai_dc&identifier=oai:pub.demo.eprints-hosting.org:1) after you have removed these permissions and reloaded Apache, then it would be clear they are not needed for OAI-PMH. 

I think the user_roles.pl permissions are only required for the /rest/ path API and not OAI-PMH or the content negotiation API using the URIs for eprint records.  This content negotiation API uses the public XML export plugin, which will remove any metadata fields that have their export_as_xml attribute set to 0, if the request is unauthenticated. (Also, it will forbid any requests for eprint records not in the live archive).

Regards

David Newman

CAUTION: This e-mail originated outside the University of Southampton.

Hi David!

Thank you for the information.  I did notice this default setting:

$c->{public_roles} = [qw{
    +eprint/archive/rest/get
    +subject/rest/get
}];

In your answer, it wasn't clear, are these permissions necessary for OAI-PMH to harvesting to work correctly?

If I remove these permissions because I don't want public access to the API, will that break the OAI harvesting?

I guess I'm still a little confused if the public user needs this permission "eprint/archive/rest/get" and what would break if they didn't have it.  

Tomasz

________________________________________________

Tomasz Neugebauer
Senior Librarian | Bibliothécaire titulaire
Digital Projects & Systems Development Librarian / Bibliothécaire des Projets Numériques & Développement de Systèmes
Concordia University / Université Concordia

Tel. / Tél. 514-848-2424 ext. / poste 7738
Email / courriel: tomasz.neugebauer@concordia.ca

Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
Street address / adresse municipale: 1400 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8

library.concordia.ca

---

From: David R Newman <drn@ecs.soton.ac.uk>
Sent: January 26, 2026 11:56 AM
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
Subject: Re: [EP-tech] Rest API permissions

 

Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'extérieur du domaine de concordia.ca

Hi Tomasz,

Read-only access is available to the REST API for public users. On the path /rest/.  E.g. https://tryme.demo.eprints-hosting.org/rest/

lib/cfg.d/user_roles.pl defines that a public user can have GET (read-only) access to all subject data objects and all eprint records in the live archive.  The configuration looks as follows:

$c->{public_roles} = [qw{
    +eprint/archive/rest/get
    +subject/rest/get
}];

/rest/ also lists the user dataset but you need to authenticated to access the metadata for user data objects, albeit you can see what autoincrement user IDs exist.

The REST API allows you to get all the (XML) metadata for a eprint or subject data object or get the metadata for an individual field as either XML or plain text.  Similarly, you can get metadata for the sub-data objects of an eprint, such as the document or file metadata.

I am not aware of crawlers or harvesters hitting this API (/rest/...) that much.

Beyond the API under /rest/ there is also a RESTful API that can be used through content negotiation using the URIs for data objects (e.g. https://tryme.demo.eprints-hosting.org/id/eprint/6 with and "Accept: application/vnd.eprints.data+xml".  E.g.

curl --header "Accept: application/vnd.eprints.data+xml" https://tryme.demo.eprints-hosting.org/id/eprint/7

Similarly, although crawlers might request the above URL they are usually requesting text/html.  Harvesters (such as OAI-PMH) uses this RESTful content-negotiation API to rpovide metadata and it can also be called by third-party applications to push data.  E.g. the following can create an EPrint record using the XML stored in the local file at /home/eprints/eprint.xml:

curl -X POST -u USERNAME:PASSWORD --data-binary "@/home/eprints/eprint.xml" -H "Content-Type: application/vnd.eprints.data+xml" https://example.eprints-hosting.org/id/contents

Regards

David Newman

On 26/01/2026 15:57, Tomasz Neugebauer wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Good morning from a snowy and cold Montreal 🙂

I was wondering about the permissions for the EPrints REST API.

Is the REST API used by legitimate crawlers or harvesters?

What's the typical use case for the Rest API in EPrints?

Do we need to have any Rest API related permissions enabled for the public user?

Tomasz

________________________________________________

Tomasz Neugebauer
Senior Librarian | Bibliothécaire titulaire
Digital Projects & Systems Development Librarian / Bibliothécaire des Projets Numériques & Développement de Systèmes
Concordia University / Université Concordia

Tel. / Tél. 514-848-2424 ext. / poste 7738
Email / courriel: tomasz.neugebauer@concordia.ca

Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
Street address / adresse municipale: 1400 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8

library.concordia.ca

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/