Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricted Thumbnails don't load for any users #1579

Closed
tdonohue opened this issue Mar 25, 2022 · 0 comments · Fixed by #1694
Closed

Restricted Thumbnails don't load for any users #1579

tdonohue opened this issue Mar 25, 2022 · 0 comments · Fixed by #1694
Labels
authorization related to authorization, permissions or groups bug component: Item (Archived) Item display or editing Estimate TBD help wanted Needs a volunteer to claim to move forward high priority
Projects
DSpace 7.4 release
Milestone
7.4

Comments

@tdonohue
Copy link
Member

tdonohue commented Mar 25, 2022
edited

(Discovered during the review of #1556, but it's not specific to Withdrawn Item thumbnails)

Describe the bug
When a Thumbnail image has any sort of access restrictions, it is unable to display even to EPersons who have those access rights. As a basic example, if you modify a Thumbnail image bitstream to have an Administrator READ policy (without an Anonymous READ policy), then that Thumbnail will no longer be displayed for any users, even Administrators. Any time it is accessed, a 401 response will be sent back by the REST API.

As described in 1556, the issue appears to be that the thumbnail gets rendered (see thumbnail.component) by putting its /content link directly in the template and letting the browser retrieve it. So there is no authorisation or short lived token added.

    <img *ngIf="src !== null" class="thumbnail-content img-fluid"
         [src]="src | dsSafeUrl" [alt]="alt | translate" (error)="errorHandler()">

The solution would be just like for restricted downloads to retrieve a short-lived token first, and add it to the contents url. However this is an image shown/resolved by the browser on item page/search grid view/..., so can't go through a 'download page' like done for (restricted) downloads...

To Reproduce
One basic example:

  1. Find an Item which has an existing Thumbnail
  2. Edit the Item, find the Thumbnail bitstream and Edit its policies
  3. Remove any Anonymous READ policy. Add an Admin READ policy
  4. Now, go back to the Item. Verify the Thumbnail doesn't load (your browser's devtools will show a 401 response code)
  5. Login as an Admin, verify the Thumbnail still doesn't load.

Expected behavior
Ideally, restricted thumbnails should still be displayed to users who have permissions to view them.

** Workaround **
Currently, the workaround is to ensure all Thumbnails are publicly available. If you encounter this issue, you can modify the policies of the Thumbnail bitstream to ensure it has an Anonymous READ policy.

Related work
@tdonohue tdonohue added bug help wanted Needs a volunteer to claim to move forward authorization related to authorization, permissions or groups medium priority Estimate TBD component: Item (Archived) Item display or editing labels Mar 25, 2022
@tdonohue tdonohue added this to To Do in DSpace 7.3 release via automation Mar 25, 2022
@tdonohue tdonohue removed this from To Do in DSpace 7.3 release May 20, 2022
@tdonohue tdonohue added this to To Do in DSpace 7.4 release via automation May 20, 2022
@ybnd ybnd mentioned this issue Jun 17, 2022
Merged
6 tasks
DSpace 7.4 release automation moved this from To Do to Done Sep 23, 2022
@tdonohue tdonohue added this to the 7.4 milestone Nov 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authorization related to authorization, permissions or groups bug component: Item (Archived) Item display or editing Estimate TBD help wanted Needs a volunteer to claim to move forward high priority
Projects
No open projects
DSpace 7.4 release
  
Done
Milestone
7.4
Development

Successfully merging a pull request may close this issue.

Support restricted thumbnails atmire/dspace-angular
1 participant
@tdonohue