Commonwealth-VLR-Engine is a Rails engine for creating Blacklight apps that provide access to content from Solr/Fedora, packaging a number of feature-rich enhancements and modifications.
Apache License 2.0
8
stars
2
forks
source link
enforce download restrictions at controller level #102
We have many in-copyright items that do not display download links in the public front-end on the catalog#show page.
However, a "malicious" user can infer the link pattern for downloads and construct a URL to download a restricted item.
Download restrictions should be set at the controller level so that DownloadsControllerBehavior returns a 401 Unauthorized error for requests for restricted items from non-admin users.
See the #license_allows_download? method in app/helpers/commonwealth_vlr_engine/downloads_helper_behavior.rb.
We have many in-copyright items that do not display download links in the public front-end on the catalog#show page.
However, a "malicious" user can infer the link pattern for downloads and construct a URL to download a restricted item.
Download restrictions should be set at the controller level so that
DownloadsControllerBehavior
returns a401 Unauthorized
error for requests for restricted items from non-admin users.See the
#license_allows_download?
method inapp/helpers/commonwealth_vlr_engine/downloads_helper_behavior.rb
.