Access Controlled links

Bug #239209 reported by Richard H.
2
Affects Status Importance Assigned to Milestone
Document Library
New
Undecided
Unassigned

Bug Description

The way access controlled document links work appears to have either changed or we have a bug. Let me explain...

I have uploaded a document to the training DL which has had group-access applied to it so that only members of the LDAP group called ISD can see the link. The link is pulled through onto devtrain as a cherry-picked link on a page at the following site - http://devtrain.beds.ac.uk/isd/documents.

Now, the problem we have is this; the link to the document should only appear to those with the appropriate authenticated credentials (i.e. members of the LDAP group called ISD)...

When you access devtrain.beds.ac.uk you have to login (using your usual login, authenticated against our LDAP server) so you are authenticated. Someone who is not in the ISD group was able to go to the stated address (above) and they could see the access-controlled document link (marked with a * to confirm it is access-controlled). The problem with this is that they shouldn't be able to see the DL link at all - it is not meant to display for them at all.

The curious thing is that when they click on the download link (pdf or text in this case) it then asks them for login credentials before it allows them to download. In this case, their credentials were refused so they couldn't download the document. This is not how it is meant to behave. The 'Access controlled' links used to work exactly as described, but now they don't.

Has someone made changes to this and how it behaves? We really need this to be working the way it was before. If this is a bug, it's a very precise one.

(I will try all of this out on devstaff as well to see if it behaves in the same way).

Revision history for this message
Sylvain Viollon (thefunny) wrote :

Does this happens in the Silva interface, or in the public interface ? There is a squid caching the page ?

Revision history for this message
Richard H. (richard-hewison) wrote :

I'm not sure what you mean by 'the public interface'?

We have an access controlled document which should be restricted to only being visible on a published web page (via Silva) on devtrain to members of a specific LDAP group. Someone (who is successfully authenticated against LDAP) is not a member of that group can view the same web page and they see the DL link for the access controlled document that they are not intended to see.

We have just created a similar scenario but via devstaff and the same individual could view the web page but could NOT see the access controlled document link - i.e. it worked exactly as expected.

So, the question is - what is different on devtrain which is preventing access controlled document links from working? We will investigate the setup at this end, and report back when we have more information.

Revision history for this message
Richard H. (richard-hewison) wrote :

Actually, when you select the download (pdf or text in the example on devstaff) you have to login again before it will let you download the document. I'm guessing that this bit is deliberate, but we didn't actually ask for the access controlled DL links to behave this way and I'm sure that in the past, they didn't.

We will consult on this and get back to you, but there is a chance that this won't be a problem.

Revision history for this message
Richard H. (richard-hewison) wrote :

Please feel free to ignore our comments about the additional login request when you download the document - we just realised that you have to have password protection as well as hiding the link, else someone can pass the link's URL to another person and they could download the document.

Hiding the DL link is only half of the security you need behind access controlled documents. Password protecting it is a perfectly sensible idea and of course it should behave like this.

Revision history for this message
Richard H. (richard-hewison) wrote :

We are still left with a discrepancy between how devtrain and how devstaff behave with access-controlled documents.

Devtrain doesn't seem to hide the DL link from the person viewing the page, whilst Devstaff behaves as you would expect.

Both are authenticating against the same LDAP server for users *and* group information. The chosen documents (in /dl/training and /dl/uob) are both restricted to the same LDAP group (ISD) so the non-ISD person shouldn't be able to see the link but they can on devtrain and they can't on devstaff.

So, the question we have is what is mis-configured on devtrain to prevent this from working?

Revision history for this message
Richard H. (richard-hewison) wrote :

Does anyone have any ideas on this? It could be something really simple. After all, if it works on devstaff then we must have done something wrong on devtrain.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.