EPrints Technical Mailing List Archive
Message: #08457
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] IP Based access on restricted documents
- To: RAJA VISHWA <rajamca66@gmail.com>
- Subject: Re: [EP-tech] IP Based access on restricted documents
- From: David R Newman <drn@ecs.soton.ac.uk>
- Date: Mon, 18 Jan 2021 17:43:10 +0000
Hi Raja,
The logic to check whether someone has access to a document is as follows:
if( $priv eq "document/view" )
{
my $r;
if( defined $user )
{
$r = $self->{session}->call(
"can_user_view_document",
$self,
$user
);
return 1 if $r eq "ALLOW";
return 0 if $r eq "DENY";
EPrints->abort( "can_user_view_document
returned '$r': expected ALLOW or DENY" );
}
else
{
$r = $self->{session}->call(
"can_request_view_document",
$self,
$self->{session}->{request}
);
return 1 if $r eq "ALLOW";
return 0 if $r eq "DENY" || $r eq "USER";
EPrints->abort(
"can_request_view_document returned '$r': expected ALLOW, DENY or
USER" );
}
}
If the code you provides within the configuration option
$c->{can_user_view_document} or
$c->{can_request_view_document}. If it is the former (i.e.
can_user...) then the only valid options are ALLOW or DENY. USER
is only valid for the can_request_view_document and even there it
not intended to be used to give access to documents (this should
only ever be ALLOW), it just prevent an abort. I have to admit I
don't know what the purpose of USER as a return value is, I think
it may still be there for legacy reasons. Therefore, I would
change you code where it says USER and set this to ALLOW inside
both the code blocks for $c->{can_user_view_document} and
$c->{can_request_view_document}.
Also, I have fixed a known bug with the perl_lib/EPrints/DataObj/Document.pm to deal with permission issues when you have been given access through "Request a Copy" but are also logged in as a user but without the permissions to access the requested document. The new code to be releases in 3.4.3 can be found at:
https://github.com/eprints/eprints3.4/blob/master/perl_lib/EPrints/DataObj/Document.pm
Regards
David Newman
CAUTION: This e-mail originated outside the University of Southampton.Hi David,I just did the following code. But no luck.my $ip = $doc->repository->remote_ip();
my( $res, $passwd_sent ) = $r->get_basic_auth_pw;
my( $user_sent ) = $r->user;
if( defined $user_sent )
{
if( $user_sent eq "foo" && $passwd_sent eq "bar" )
{
return "ALLOW";
}
return a 403.
$r->note_basic_auth_failure;
return "DENY";
}
my( $oncampus ) = 0;
$_oncampus_ = 1 if( $ip eq "my_campus_ip" );
return( "USER" ) if( $security eq "campus_and_validuser" && $oncampus );
return( "ALLOW" ) if( $security eq "campus_or_validuser" && $oncampus );
return( "ALLOW" ) if( $security eq "campus" && $oncampus );
return( "USER" );
On Mon, Jan 18, 2021 at 7:29 PM David R Newman <drn@ecs.soton.ac.uk> wrote:
Hi Raja,
Yes, there should be settings for this in your archive's cfg/cfg.d/security.pl. Be careful to make sure you the function to lookup the IP addess looks like:
my $ip = $eprint->repository->remote_ip();
As the older way of doing this breaks in recent versions of Apache and can make documents publicly accessible you would not otherwise intend to be.
Regards
David Newman
On 18/01/2021 13:43, RAJA VISHWA via Eprints-tech wrote:
CAUTION: This e-mail originated outside the University of Southampton.Dear Team,
Is it possible to allow restricted document access from the institution's IP?
For example, any request is coming from Institution IP ranges shall we allow them to access the protected content without authentication?
I just try to configure the file which available ( https://wiki.eprints.org/w/EPrints_User_Group_2015-01-13) at /opt/eprints3/archives/xxx/cfg/cfg.d/security.pl. But no luck.
Could anyone help me out?
Thanks,Raja V
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/
Virus-free. www.avg.com
--
Thanks with Regards,
Raja V
- References:
- [EP-tech] IP Based access on restricted documents
- From: RAJA VISHWA <rajamca66@gmail.com>
- Re: [EP-tech] IP Based access on restricted documents
- From: RAJA VISHWA <rajamca66@gmail.com>
- [EP-tech] IP Based access on restricted documents
- Prev by Date: Re: [EP-tech] IP Based access on restricted documents
- Next by Date: [EP-tech] Deadline for proposals to OR2021 extended to Feb 8!
- Previous by thread: [EP-tech] Sort view with creators_name and corp_creators
- Index(es):