[EP-tech] Re: Creating a read-only (but read everyting in the archive) user (Field A.N.)

Field A.N. af05v at ecs.soton.ac.uk
Fri Oct 2 10:32:28 BST 2015


You should submit this on github as a feature request.  It makes sense as a permission to give someone.


--
Adam Field
Business Relationship Manager and Community Lead
EPrints Services
+44 (0)23 8059 8814





On 2 Oct 2015, at 07:30, Andras Holl wrote:

> 
> Hi John,
> 
> Thanks a lot, it works!
> 
> I have added the 
> 
>                if( $user->has_role( "staff-view" ) )
>                {
>                        return "ALLOW";
>                }
> 
> part to security.pl,
> and set the 
> 
> staff-view role to the user (without the "+")
> 
> and it works!  Thank You!
> 
> Andras
> 
> Andras Holl
> Library and Information Centre,
> Hungarian Academy of Sciences
> 
>> Hi,
>> If you look in ~/archives/ARCHIVEID/cfg/cfg.d/security.pl, you will see the ↵
>> code that checks document permissions.
>> I think that it's this block:
>>       if( $security eq "staffonly" )
>>       {
>>               # If you want to finer tune this, you could create
>>               # new privs and use them.
>> 
>>               # people with priv editor can read this document...
>>               if( $user->has_role( "editor" ) )
>>               {
>>                       return "ALLOW";
>>               }
>> 
>>               if( $user->has_role( "admin" ) )
>>               {
>>                       return "ALLOW";
>>               }
>> 
>>               # ...as can the user who deposited it...
>>               if( $eprint->has_owner( $user ) )
>>               {
>>                      return "ALLOW";
>>               }
>> 
>>               # ...but nobody else can
>>               return "DENY";
>> 
>>       }
>> 
>> That is denying your user the access.
>> You may want to re-use the staff-view role in these security checks by adding ↵
>> something like
>>               if( $user->has_role( "staff-view" ) )
>>               {
>>                       return "ALLOW";
>>               }
>> 
>> NB This is untested - I'd check thoroughly before using it.
>> 
>> If you're interested in how EPrints gets to the methods in this file, this ↵
>> might be useful: ↵
>> http://wiki.eprints.org/w/Anatomy_of_a_request#EPrint_IDs.2C_Documents_and_EP_TRIGGER_DOC_URL_REWRITE
>> The Apache handlers are:
>> EPrints::Apache::Auth::authen_doc 
>> EPrints::Apache::Auth::authz_doc 
>> - which in turn call $doc->permit(...)
>> - which leads to
>> $c->{can_user_view_document}  and/or $c->{can_request_view_document}
>> 
>> 
>> Hope that helps!
>> Cheers,
>> John
> 
> 
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/




More information about the Eprints-tech mailing list