Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test journals can overwrite information in the PKP PN server #22

Open
jonasraoni opened this issue May 1, 2022 · 1 comment
Open

Test journals can overwrite information in the PKP PN server #22

jonasraoni opened this issue May 1, 2022 · 1 comment
Assignees
@jonasraoni
Labels
bug Something isn't working Bug:1:Low Enhancement:1:Minor
Milestone
2.0.4-6

Comments

@jonasraoni
Copy link
Collaborator

jonasraoni commented May 1, 2022
edited
Loading

Describe the bug
If a user setup a clone of the journal for testing purposes, using another domain, the behavior of the staging server/plugin seems to be a little permissive/undefined, as it ends up overwriting the backend information with the data from the test domain.
Following the same idea, it might probably be also willing to ingest undesired/test content.

To Reproduce
Spin up a clone of the journal in another domain, and once it tries to contact the staging server, it will end up overwriting the information in the administrative panel (e.g. journal's URL).

Notes

  • We can detect URL changes, but it's not up to us to say which one refers to the production journal.
  • In order to ensure a journal administrator has control over the journal we might send a "beacon" to it from the PKP staging server (something similar to the way Google validates your login by asking permission from another device), just always good to ensure this can't be abused.
  • Overwriting the main host must be an incisive action (e.g. "The PKP PN already know about your journal, but under a different URL, would you like to update it to use the URL xyz?")
  • The plugin could offer an option to disable itself, once the user flagged the journal is using a test domain.
  • Given that users might clone a journal instead of creating a new instance from zero, perhaps it's useful to offer an option to also reset the PKP PN GUID
  • Check if it makes sense to have a list of acceptable URLs in the PKP PN backend (probably not)
  • Check if PKP PN backend is too permissive (accepts deposits from any domain), and make it stricter (once we assure the user has been using a newer plugin/protocol version)

What application are you using?
OJS 3.3

Additional information
https://forum.pkp.sfu.ca/t/problem-the-pkp-pln-does-not-know-about-this-journal-yet/72678/17
@jonasraoni jonasraoni self-assigned this May 1, 2022
@jonasraoni jonasraoni mentioned this issue May 11, 2022
Closed
@asmecher asmecher transferred this issue from pkp/pkp-lib May 11, 2022
@asmecher asmecher added this to the 2.0.4-3 milestone May 11, 2022
@jonasraoni jonasraoni changed the title [Plugin][PLN] Test journals can overwrite information in the PKP PN server Test journals can overwrite information in the PKP PN server May 12, 2022
@jonasraoni
Copy link
Collaborator Author

It was agreed that we're going to synchronize the information with the staging server only when accepting the terms (this issue should be stated to the users).

@jonasraoni jonasraoni added the bug Something isn't working label Jan 23, 2023
@jonasraoni jonasraoni mentioned this issue Feb 28, 2023
Closed
@jonasraoni jonasraoni modified the milestones: 2.0.4-3, 2.0.4-4 Dec 1, 2023
@jonasraoni jonasraoni modified the milestones: 2.0.4-4, 2.0.4-5 Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonasraoni jonasraoni

Labels
bug Something isn't working Bug:1:Low Enhancement:1:Minor
Projects
Metadata and Distribution
Status: Backlog
Plugins and Themes
Status: Backlog
Milestone
2.0.4-6
Development

No branches or pull requests
2 participants
@asmecher @jonasraoni