search

Psychoanalytic-Electronic-Publishing / PaDS

Psychoanalysts Database System (PaDS) is a user database and authorization server with an API to manage and authenticate users for the PEP User Interface client and OPAS Document server.
0 stars 0 forks source link

User Permissions versus Document Read Permissions #25

Closed nrshapiro closed 2 years ago

nrshapiro commented 2 years ago

We had a user report that was perplexing. https://github.com/Psychoanalytic-Electronic-Publishing/Support/issues/312

I spoofed her, and see that the server gets the following information from PaDS.

Spoofed Session: 6acea512-4682-4d9e-991d-173fa239a1cd

pads_user_info, status_code = get_authserver_session_userinfo("6acea512-4682-4d9e-991d-173fa239a1cd", client_id, addl_log_info=" (complete session_record)")

image

As you can see, it reports that she has PEPCurrent access.

But when the server asks permission to read the document,

https://pads.pep-web.org/PEPSecure/api/v1/Permits?SessionId=6acea512-4682-4d9e-991d-173fa239a1cd&DocId=PSAR.108.0291A&DocYear=2021&ReasonForCheck=DocumentView

it says that she doesn't have permission for that document (which she shouldn't), but still claims she has current access:

DocId = 'PSAR.108.0291A' HasArchiveAccess = True HasCurrentAccess = True Permit = False ReasonId = 200 ReasonStr = 'Your subscription gives you access to All NonEmbargoed (Archive), IJP JV103, IJP Open, but access to this document is denied because 2021 is in the embargoed years (3).... SessionId = '6acea512-4682-4d9e-991d-173fa239a1cd'

@SophieMBennett

jwoosnam commented 2 years ago

It was reporting current as the JV103 content set was marked as current, presumably meaning that JV103 users can see all current IJP documents. I have now changed it to False and I believe it is behaving as you would expect.