You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At present time an openwis user which have the permission to edit metadata has the ability to:
1/ add a new metadata in any set of catalogue
2/ move a metadata (which is owner) to any other set
3/ add a new metadata using any uniform resource names (urn).
This behavior is not compliant with WMO and is a risk on metadata management on Openwis.
The proposition of evolution is the following :
1/ Have the ability to associate an openwis user/editor to a specific set, in that case the user can only add/modified/delete metadata from this set.
2/ Have the possibility to specific urn regulars expressions for a specific user, in that case the user can only add/modified/delete metatada where urn matching the regular expression, example the following regulars expressions only authorize a user to work on Meteo-France metadata:
"x-wmo:bulletin:int.wmo.wis::......LFPW$"
":x-wmo:bulletin:int.wmo.wis::[TAZW].*_C_LFPW"
This is a requirement that was not met
a) REQ-M.4.4.17: User MUST not be able to access particular metadata, data nor services unless they have the appropriate roles
b) REQ-M4.1.1.11: The system MUST maintain the integrity of the data
This was picked up in
OWT-451 - allow metadata editors to belong to a group
OWT-504 - any editor can modify/replace someone elses metadata
OWT-505 - Any Editor can see all Categories - need to only be able to see their own
Also Security tests have picked up the ability to add scripts to the 'Title' of a metadata leaving users exposed as well as other GISCs should they harvest it.
From @benjaminsaclier on May 12, 2015 10:7
At present time an openwis user which have the permission to edit metadata has the ability to:
1/ add a new metadata in any set of catalogue
2/ move a metadata (which is owner) to any other set
3/ add a new metadata using any uniform resource names (urn).
This behavior is not compliant with WMO and is a risk on metadata management on Openwis.
The proposition of evolution is the following :
1/ Have the ability to associate an openwis user/editor to a specific set, in that case the user can only add/modified/delete metadata from this set.
2/ Have the possibility to specific urn regulars expressions for a specific user, in that case the user can only add/modified/delete metatada where urn matching the regular expression, example the following regulars expressions only authorize a user to work on Meteo-France metadata:
"x-wmo:bulletin:int.wmo.wis::......LFPW$"
":x-wmo:bulletin:int.wmo.wis::[TAZW].*_C_LFPW"
Benjamin
Copied from original issue: OpenWIS/openwis#73
The text was updated successfully, but these errors were encountered: