EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09854


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

RE: [EP-tech] Eprints - function-level access control (FLAC)


CAUTION: This e-mail originated outside the University of Southampton.

Hi James,
Trying to decipher their messages:

 

For 'new deposit':
- should anyone who can log into your repository be able to create an item, or is there a subset of LDAP users who would be able to authenticate, but not create items (e.g. undergraduates)?

If so, you might want to look at the usertype that gets assigned for these groups. There is (or used to be) a 'minuser' usertype – that could do some things, but not create new items. This might be similar to what they mean.
As far as I can see, I just get a 401 response if I try to get to that page – but I'm an 'unprivileged' user rather than a 'low privileged' one.

 

It's possible the same applies for the second URL – but again that gives me a 401.

 

In these scenarios, it might be useful to get their actual report – or if this is not forthcoming, try and identify the scan through the weblogs – so you can see if e.g. they were logged in when running the scan.

 

In general, EPrints does have function level access control – see my first response to Yuri this week – about privileges and roles.

 

Cheers,

John

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of James Kerwin
Sent: Wednesday, October 23, 2024 9:21 PM
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] Eprints - function-level access control (FLAC)

 

CAUTION: External Message. Use caution opening links and attachments.

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hi,

 

I'm having an incredibly busy time and our IT department are creating new and interesting hurdles for me.

 

Hopefully someone can decipher what they mean, help me correct it if a problem or help me explain to them why it isn't a problem.

 

They sent the following:

The remote web application fails to apply function-level access control, which allows a low-privileged or unprivileged user to access restricted functionality in the application. Can you please take a look at the below list and apply changes?

 

so Authorization can be checked for all privileged functions in the application

 

The following URLs are unrestricted :

 

/cgi/users/homescreen=NewDeposit

 

/cgi/users/login?target=http%3A%2F%2Fdatacat.liverpool.ac.uk%2Fcgi%2Fusers

 

Unfortunately their technical knowledge begins and ends at reading the results of a security scan, so they're infrequently able to offer any useful actionable advice. So far as I'm aware, these are just the URLs used to create a new deposit and log in to EPrints. We used LDAP(s) login (as discussed recently).

Can anybody confirm if this is something I need to worry about? If so, what should I be looking at? If not, how do I persuade them it's nothing to worry about?

Thanks,

James