Test journals can overwrite information in the PKP PN server #22
Description
Describe the bug
If a user setup a clone of the journal for testing purposes, using another domain, the behavior of the staging server/plugin seems to be a little permissive/undefined, as it ends up overwriting the backend information with the data from the test domain.
Following the same idea, it might probably be also willing to ingest undesired/test content.
To Reproduce
Spin up a clone of the journal in another domain, and once it tries to contact the staging server, it will end up overwriting the information in the administrative panel (e.g. journal's URL).
Notes
- We can detect URL changes, but it's not up to us to say which one refers to the production journal.
- In order to ensure a journal administrator has control over the journal we might send a "beacon" to it from the PKP staging server (something similar to the way Google validates your login by asking permission from another device), just always good to ensure this can't be abused.
- Overwriting the main host must be an incisive action (e.g. "The PKP PN already know about your journal, but under a different URL, would you like to update it to use the URL xyz?")
- The plugin could offer an option to disable itself, once the user flagged the journal is using a test domain.
- Given that users might clone a journal instead of creating a new instance from zero, perhaps it's useful to offer an option to also reset the PKP PN GUID
- Check if it makes sense to have a list of acceptable URLs in the PKP PN backend (probably not)
- Check if PKP PN backend is too permissive (accepts deposits from any domain), and make it stricter (once we assure the user has been using a newer plugin/protocol version)
What application are you using?
OJS 3.3
Additional information
https://forum.pkp.sfu.ca/t/problem-the-pkp-pln-does-not-know-about-this-journal-yet/72678/17
Metadata
Metadata
Assignees
Labels
Type
Projects
Status