Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Welcome to the CollectiveAccess support forum! Here the developers and community answer questions related to use of the software. Please include the following information in every new issue posted here:

  1. Version of the software that is used, along with browser and version

  2. If the issue pertains to Providence, Pawtucket or both

  3. What steps you’ve taken to try to resolve the issue

  4. Screenshots demonstrating the issue

  5. The relevant sections of your installation profile or configuration including the codes and settings defined for your local elements.


If your question pertains to data import or export, please also include:

  1. Data sample

  2. Your mapping


Answers may be delayed for posts that do not include sufficient information.

How to restrict access to media representations?

Hi!

We are trying to use collectiveaccess (providence) through the Web Services API with a custom built frontend.

The access control to the Web Services API with the basic authentication is working, but it is unclear how to restrict access to media representations.

When there is an object with a media representation, the Web Services API will return a URL to the media file, e.g.

This file can then be accessed through this URL without any authentication - regardless of the access settings of the media representation (access: not accessible to public) or the access settings of the object containing the media representation (access: All groups and users no access this record).

According to the documentation, the access settings on the media representation are only applicable to pawtucket. Is it therefore actually possible to restrict access to media representations through the access control settings in providence? Or is this only possible in combination with pawtucket?

Thank you!

Ingo

Comments

  • Someone can correct me if I'm wrong, but since the CA isn't actually enforcing file access to restricted items -- only using access status to hide their display -- for use out of the CA ecosystem, it is incumbent on us to enforce those restrictions. In my case, I use CA's Web Services API to populate search results on my library's website. To do so, I do two things: 1) add "AND ca_objects.access:1" to my query, and 2) add 'ca_object_representations.access' to the results bundle in order to check before displaying a thumbnail in the results.

  • In the "simple" API you can enforce access control such that the only data with the access privs of the authenticated user (or non-authenticated caller if need e) is returned. For the other APIs, you get everything and it's the consumers job to filter as needed.

  • Thank you for your answers!

    Do I understand this correct - if I have some sensitive documents that are stored as media representations, I can setup access settings and only certain users will be able to access the respective objects when logged into Providence. But every visitor to the Providence site will be able to access the media representation if he/she knows the URL?

    Does this also imply that for every public facing Providence installation, all media will be accessible to everyone who knows the URL of the media representation?

  • Yes, if you know the url you can get the file, unless you configure the web server to restrict access at the file level. The urls for media include a random component which makes it more difficult to guess URLs.

  • I should also add, if you have sensitive material that you don't want to be public, you shouldn't be putting it on a public facing server.

  • Ok, thank you for the clarification.

    My initial assumption was that collectiveaccess manages the access restrictions across the whole system.

    Ideally I would like to utlitize the extensive access control features of collectiveaccess. In our use case a user will have private objects/media representations that should only be visible to him/her and there will be group-level access of objects/media representations that should only be visible to members of this group. These use cases should be realizable with the user groups and record-level access features of collectiveaccess.

    However, in order to control the access to media representations, I will then also need to setup a second authorization tool in front of collectiveaccess that enforces the same access rights as configured in collectiveaccess to restrict access to the media representations.

    Do you have any recommendations on how this can best be achieved? Or do you know how other users solve this issue?

Sign In or Register to comment.