EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #08457


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] IP Based access on restricted documents


Hi Raja,

The logic to check whether someone has access to a document is as follows:

 if( $priv eq "document/view" )
        {
                my $r;
                if( defined $user )
                {
                        $r = $self->{session}->call( "can_user_view_document",
                                        $self,
                                        $user
                                );
                        return 1 if $r eq "ALLOW";
                        return 0 if $r eq "DENY";
                        EPrints->abort( "can_user_view_document returned '$r': expected ALLOW or DENY" );
                }
                else
                {
                        $r = $self->{session}->call( "can_request_view_document",
                                        $self,
                                        $self->{session}->{request}
                                );
                        return 1 if $r eq "ALLOW";
                        return 0 if $r eq "DENY" || $r eq "USER";
                        EPrints->abort( "can_request_view_document returned '$r': expected ALLOW, DENY or USER" );
                }
        }

If the code you provides within the configuration option $c->{can_user_view_document} or $c->{can_request_view_document}.  If it is the former (i.e. can_user...) then the only valid options are ALLOW or DENY.  USER is only valid for the can_request_view_document and even there it not intended to be used to give access to documents (this should only ever be ALLOW), it just prevent an abort.  I have to admit I don't know what the purpose of USER as a return value is, I think it may still be there for legacy reasons.  Therefore, I would change you code where it says USER and set this to ALLOW inside both the code blocks for $c->{can_user_view_document} and $c->{can_request_view_document}.

Also, I have fixed a known bug with the perl_lib/EPrints/DataObj/Document.pm to deal with permission issues when you have been given access through "Request a Copy" but are also logged in as a user but without the permissions to access the requested document.  The new code to be releases in 3.4.3 can be found at:

https://github.com/eprints/eprints3.4/blob/master/perl_lib/EPrints/DataObj/Document.pm

Regards

David Newman


On 18/01/2021 17:16, RAJA VISHWA wrote:
CAUTION: This e-mail originated outside the University of Southampton.
Hi David,
I just did the following code. But no luck. 
    my $ip = $doc->repository->remote_ip();
         my( $res, $passwd_sent ) = $r->get_basic_auth_pw;
         my( $user_sent ) = $r->user;
         if( defined $user_sent )
         {
                if( $user_sent eq "foo" && $passwd_sent eq "bar" )
                {
                        return "ALLOW";
                }
                return a 403.
                $r->note_basic_auth_failure;
                return "DENY";
         }
         my( $oncampus ) = 0;
         $_oncampus_ = 1 if( $ip eq "my_campus_ip" );
       return( "USER" ) if( $security eq "campus_and_validuser" && $oncampus );
         return( "ALLOW" ) if( $security eq "campus_or_validuser" && $oncampus );
         return( "ALLOW" ) if( $security eq "campus" && $oncampus );
        return( "USER" );


On Mon, Jan 18, 2021 at 7:29 PM David R Newman <drn@ecs.soton.ac.uk> wrote:

Hi Raja,

Yes, there should be settings for this in your archive's cfg/cfg.d/security.pl.  Be careful to make sure you the function to lookup the IP addess looks like:

my $ip = $eprint->repository->remote_ip();

As the older way of doing this breaks in recent versions of Apache and can make documents publicly accessible you would not otherwise intend to be.

Regards

David Newman

On 18/01/2021 13:43, RAJA VISHWA via Eprints-tech wrote:
CAUTION: This e-mail originated outside the University of Southampton.
Dear Team,

Is it possible to allow restricted document access from the institution's IP?

For example, any request is coming from Institution IP ranges shall we allow them to access the protected content without authentication?

I just try to configure the file which available  ( https://wiki.eprints.org/w/EPrints_User_Group_2015-01-13) at /opt/eprints3/archives/xxx/cfg/cfg.d/security.pl. But no luck.

Could anyone help me out?

Thanks,
Raja V

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/

Virus-free. www.avg.com


--
Thanks with Regards,
Raja V