EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09895


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Embargoed files still accessible


Hi Elizabeth,

Assuming I have found the EPrints repository you are referring it is possible you could have a configuration file under the following path (substituting EPRINTS_PATH and ARCHIVE_ID as appropriate) that contains a line that is incompatible with Apache webserver versions 2.4 and greater:

EPRINTS_PATH/archives/ARCHIVE_ID/cfg/cfg.d/security.pl

The particular line that would be causing a problem is:

my $ip = $r->connection()->remote_ip();

If $ip is used later in this file, then you need to replace the line above with the following line:

my $ip = $doc->repository->remote_ip();

However, if $ip is not used later on, then it is best to both replace the line and comment out the new line.  Either way, be sure to reload your webserver (e.g. apachectl graceful) so that the change is applied.

The problem is that the code that is incompatible with Apache webserver versions 2.4 and greater, leads to this function failing.  Unfortunately, rather than failing and blocking all access it fails to apply any access restrictions.  Therefore, even when you remove the item from the public archive, it is accessible if you know the URL (i.e. its filename, eprint ID and document position in the eprint).

Regards

David Newman

On 05/12/2024 16:08, McCormick, Elizabeth wrote:
CAUTION: This e-mail originated outside the University of Southampton.
CAUTION: This e-mail originated outside the University of Southampton.

Hello,

We had 33 dissertations which were to be embargoed permanently. The full text PDF was attached to the record but visibility was set to “Repository staff only.” I also changed the citation coding so that the PDF icon didn’t have a link in it. There was a PDF of the signature/title page available in a separate link. This morning, I received a desperate email from the head of our graduate school, forwarding an email from the program director for the department in question. He’d discovered that by searching, in any browser, studentname dissertation radford, anyone could access the full text PDF. I’ve just removed all of those dissertations because moving them out of the live repository and into my workspace wasn’t enough. Why does setting an embargo not work completely? Why did moving them into my workspace not prevent retrieval of the full text document?

 

Thank you,

~Elizabeth

 

Elizabeth McCormick

Systems Librarian

McConnell Library

Radford University

540-831-5635

emccormick@radford.edu

 

“My body is my temple, and the goddess demands chocolate!”

 


*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/