Skip to content
Permalink
master
Switch branches/tags

eprints/lib/defaultcfg/cfg.d/security.pl

Go to file
 
 
Cannot retrieve contributors at this time
137 lines (109 sloc) 3.77 KB
Raw Blame
# this method handles checking to see if a basic request is allowed to
# view a secured document.
# Valid return values are
# "ALLOW" - allow the rquest to view the document
# "DENY" - deny the request to view the document
# "USER" - allow the request if the current user is allowed to view
# the document. Ask for login if nobody is logged in.
$c->{can_request_view_document} = sub
{
my( $doc, $r ) = @_;
#my $eprint = $doc->get_eprint();
my $security = $doc->value( "security" );
my $eprint = $doc->get_eprint();
my $status = $eprint->value( "eprint_status" );
if( $security eq "public" && $status eq "archive" )
{
return( "ALLOW" );
}
my $code = EPrints::Apache::AnApache::cookie( $r, "eprints_doc_request" );
if( EPrints::Utils::is_set( $code ) )
{
my $request = EPrints::DataObj::Request->new_from_code( $doc->get_session, $code );
if( defined $request )
{
my $docid = $doc->get_id;
my $target_docid = $request->get_value( "docid" );
if( "$docid" eq "$target_docid" )
{
return( "ALLOW" ) unless( $request->has_expired() );
}
}
}
# Example of how to allow an override for certain basic auth type usernames/passwords.
# This is useful if you want the site to be read by a crawler, for example.
# You may wish to wrap it all in a if( $ip eq "xxx" ) for added security.
#
# my $ip = $doc->repository->remote_ip();
#
# my( $res, $passwd_sent ) = $r->get_basic_auth_pw;
# my( $user_sent ) = $r->user;
# if( defined $user_sent )
# {
# if( $user_sent eq "foo" && $passwd_sent eq "bar" )
# {
# return "ALLOW";
# }
# # return a 403.
# $r->note_basic_auth_failure;
# return "DENY";
# }
# some examples of possible settings
# my( $oncampus ) = 0;
# $oncampus = 1 if( $ip eq "152.78.69.157" );
# return( "USER" ) if( $security eq "campus_and_validuser" && $oncampus );
# return( "ALLOW" ) if( $security eq "campus_or_validuser" && $oncampus );
# return( "ALLOW" ) if( $security eq "campus" && $oncampus );
#
# return( "DENY" ) if( $ip eq "101.34.34.1" );
return( "USER" );
};
# Return "ALLOW" if the given user can view the given document,
# otherwise return "DENY".
$c->{can_user_view_document} = sub
{
my( $doc, $user ) = @_;
my $eprint = $doc->get_eprint();
my $security = $doc->value( "security" );
# If the document belongs to an eprint which is in the
# inbox or the editorial buffer then we treat the security
# as staff only, whatever it's actual setting.
if( $eprint->dataset()->id() ne "archive" )
{
$security = "staffonly";
}
# Add/remove types of security in metadata-types.xml
# Trivial cases:
return( "ALLOW" ) if( $security eq "public" );
return( "DENY" ) if( $user->get_type eq "minuser" );
return( "ALLOW" ) if( $security eq "validuser" );
# examples for location validation
# return( "ALLOW" ) if( $security eq "validuser_and_campus" );
# return( "ALLOW" ) if( $security eq "validuser_or_campus" );
# if the mode is "campus" then this method will never be called.
if( $security eq "staffonly" )
{
# If you want to finer tune this, you could create
# new privs and use them.
# people with priv editor can read this document...
if( $user->has_role( "editor" ) )
{
return "ALLOW";
}
if( $user->has_role( "admin" ) )
{
return "ALLOW";
}
# ...as can the user who deposited it...
if( $eprint->has_owner( $user ) )
{
return "ALLOW";
}
# ...but nobody else can
return "DENY";
}
$doc->repository->log(
"unrecognized user security flag '$security' on document ".$doc->get_id );
# Unknown security type, be paranoid and deny permission.
return( "DENY" );
};