Test if auth.deniedSubmitters still and how works

[taojing2002]

Request from smithsonian:

Is anyone familiar enough with MetacatUI access policies to know if you can create a group that would serve as a “blocklist” to >prevent certain users from submitting? Smithsonian is asking whether this is possible, since they are considering opening >submissions to the public.
yes, but its done a little differently. Set allowedSubmitters to the group in metacat.properties
ah, right. I think they were asking because they didn’t want to maintain a big group of submitters like that.
Check with jing on how the allow lists and deny lists get merged

[taojing2002]

Also deniedSumitters is easy to bypass. If they change to another orcid, they can submit again.

[taojing2002]

I quickly went through code and found the deny property should still work. We only allow users who are in the allowed list AND not in the denied list to create/update objects.

return (isAllowedSubmitter(username, groups) && !isDeniedSubmitter(username, groups));

[iannesbitt]

Thank you @taojing2002

[iannesbitt]

I think all they need is to be able to block certain ORCiDs, I don’t think they’re too concerned about people switching accounts.