search

samvera-labs / nurax-pre2023

Vanilla-plus Hyrax app for testing and tire-kicking
https://nurax-dev.curationexperts.com
Other
8 stars 18 forks source link

"Click for more details" shows too much information about work #282

Closed chrisdaaz closed 6 years ago

chrisdaaz commented 6 years ago

Descriptive summary

Public visitors of collections see more information than is necessary or even desired when viewing a list of works in a collection and clicking the "more details" arrow.

Rationale

A public user of a public collection has no need to see the "Edit Access" or "Depositor" metadata of a work when browsing a collection. In some cases, the names, groups, and email addresses of users with edit access to works may be confidential.

Expected behavior

Visitors browsing a collection may be interested in more descriptive details about the work itself, such as "Keywords" or "Rights".

Actual behavior

image

Steps to reproduce the behavior

  1. As a non-logged in user, visit a public collection
  2. Click on the little arrow to the right of the Work title to view more details.
elrayle commented 6 years ago

This is not a change from 2.0 which shows non-logged in users the following work details...

image

elrayle commented 6 years ago

@vantuyls @no-reply @jrr Should this be a blocker? This is not a change from 2.0 to 2.1, but it is a security issue to reveal to public (non-logged in) users editor ids.

julesies commented 6 years ago

I think this was fixed. Closing