Public search engine allows to search using private fields

I’m using Omeka S in the last version and some of the fields I use are private while all the other fields are public.

On the public website, I can use the advanced search engine. On the admin side, I checked the setting Restrict to templates so that the drop-down menu only displays used fields.

The problem is that private field are also displayed. The second problem is that searching using these private fields is possible.

The conclusion of this is that private fields are only partially private. They should not be displayed on the search engin, and it should not be possible to search using these fields as criteria (event when dealing with http request parameters).

This seems to be a serious security issue. Don’t you think?

You’ve made these private in what way? Using a module?

I used two ways to make the fields private:

  • first, I set these fields as private in the resource template
  • then I set theses fields as private while using CSV Import module

So you’re just using the “Private” flag for values (the template just sets that Private flag by default for new values). “Private” doesn’t affect an entire property, it goes value by value. So to that extent, it being available in the search property dropdown isn’t unexpected (though maybe we should think about removing properties marked as private when applying a template to the search).

The other half of what you mentioned, that the items can be found by searching their private values, that’s not expected, and I also can’t reproduce it.

The only things I can think of are:

  • You’re logged in when looking at the public site: in this case it’s expected that you’d be able to search for / see private values
  • These values are not actually marked private (you can double-check this with the “slashed eye” icon when viewing the item on the admin side)
  • You’re using some different search that doesn’t account for private values. I double-checked this against the fulltext and “by property” searches, and both behaved as expected and did not include results from any private values to anonymous users

If you think none of these is your situation, please provide more details on how you’re setting up the items and in particular, how you’re searching for them.

On the public side, the advanced search engine is only displaying fields that are used on a template. It reveals what fields we are using for describing items and what are their alternate label. This is a first problem.

Then, if we select a private field, it is possible to search on this field, even if I am not logged in.

To respond to your suggestions:

  • I’m not logged in
  • the values are marked as private
  • I’m using the default advanced search

When I search items using these private fields, I get some results. And when I click on one of these results, I can the the item’s details, but the private values does not appear.

Maybe modules car interfer with the default behavior of Omeka. I’m using 4 modules:

  • CSV Import
  • File Sideload
  • Metadata Browse
  • Numeric Data Types

I can maybe give you the url of my server so you can test it by yourself.

The URL to your site could help, yes.

I’ve updated to Omeka v2.1.2 and the bug I’m reporting is partly fixed.

  • I can still search using private fields.
  • I can still see the alternate label of private fields.

In my opinion, the bug is still not yet fixed as it discloses private information such as private fields and labels.

However, searching using these privates fields does not return any records. So the version 2.1.2 is partly fixing the bug.

By the way, I’ve read the changelog and I can’t see what bugfix is fix the issue I’m talking about. Can you please tell me what has improved the situation?

The issue closed in 2.1.2 that affects this was #1534.

For your other questions about the search UI: you’re just using the “apply a template to the search” feature, correct? We can just have that skip over the marked-private properties, I would think…

As a workaround for your current situation, you could make a new template that has the same alternates and so on as the real one you’re using, but just exclude the private properties from it entirely, and then configure that one for the search on your site.

You’re right, in the site settings, in the search category, I’ve checked the Restrict to templates flag.

Thanks for the workaround.

And for a real solution, I also think that the marked-private properties should be skipped, but for the public search only. For the search on the private/admin side, all fields should remain available.

And thanks for the link to the issue. It is strange that the behavior I’ve seen was due to a cache issue…