Closed IuriGarcia closed 5 years ago
shahmanash
commented
5 years ago https://github.com/bioatlas/ala-docker/blob/develop/config/ala-hub-config.properties#L197
I guess this config disables the doi minting. Could you ask in the Slack channel to confirm it ?
IuriGarcia
commented
5 years ago That is exactly what it does. Ive noticed that normal users can connecto to https://beta.bioatlas.se/ala-hub/admin. Is it ok?
mskyttner
commented
5 years ago Hi Iuri, we are using the CAS module to provide authentication for that URL, intentionally. What do you want to achieve?
IuriGarcia
commented
5 years ago For me that was an sensitive URL that should be blocked to non Admin users, am i wrong?
Another issue is, can i use the download plugin without an DOI server? having at ala-hub.properties: useDownloadPlugin=true but without DOI?
mskyttner
commented
5 years ago The admin functionality should be blocked for non Admin users. We can confirm that you should expect to see https://auth.bioatlas.se/cas/login?service=https%3A%2F%2Fbeta.bioatlas.se%2Fala-hub%2Fadmin if trying to access the admin functionality.
Thanks for bringing attention to the issue and please clarify your concerns in a separate email with further details to email markus.skyttner at nrm.se if you think you have discovered a security hole.
On your second DOI question... I don't know, but I hope so.
I am not yet familiar with the DOI module but earlier in this thread @shahmanash indicates that the DOI module can be deployed but be disabled, if it is a needed dependency of another module. Is this what you are trying to acheive?
Or are you planning to issue DOIs? It might be technically possible but requires infrastructure management that others already provide and addressing questions like:
Because of this, we would also like to use the Download module but without minting, maintaining and managing our own DOI infrastructure, if possible we'd like to use DOIs infrastructure from GBIF.org or Zenodo. I think GBIF.org has a block of DOIs that they manage and that there is a cost involved for that.
It would be good to avoid having to run a separate DOI infrastructure independently?
At least that is my current understanding of what we're aiming for within bioatlas.se.
Let us know your further findings related to this topic.
IuriGarcia
commented
5 years ago @mskyttner , thank you for your time. I will be emailing you to clarify anything further about security issues.
I have enabled the useDownloadPlugin=true so when someone search in ala-hub like:
https://ala-hub.ala-hml.vertigo.com.br/ala-hub/occurrences/search?q=lsid%3A239487 its possible to use the download plugin button,
leading to: https://ala-hub.ala-hml.vertigo.com.br/ala-hub/download?searchParams=%3Fq%3Dlsid%253A239487&targetUri=/ala-hub/occurrences/search&totalRecords=24929.
However, by selecting occurrence records, Full Darwin Core and CSV options, the link for the raw download is broken and i do not receive any email for download, once it looks like DOI is needed in order to make that download link inside the email.
Im looking to run a separate DOI infrastructure as a possibility, yes. And already trying to create that module by myself, ill share any progress!
Hey gentlemen, it's me again. So, now im rtrying to make the Download module in biocache.ala.org.au/download work.
looks like i cannot provide such resource because it depends on the DOI module (doi.ala.org.au). So, will i really need to set my ow DOI or there is a way to me to use other one's DOI to be able to make the download option work?