From 19f680524693759c14be456b6d7661d35ac02437 Mon Sep 17 00:00:00 2001
From: Sascha Szott <szott@gmx.de>
Date: Thu, 22 Jan 2026 23:14:26 +0100
Subject: [PATCH 1/2] fix check of exposed configuration properties

---
 .../app/rest/repository/ConfigurationRestRepository.java  | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
index afcef4451542..a8cdc58cd9ec 100644
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
@@ -43,7 +43,7 @@ protected String[] getExposedProperties() {
         return configurationService.getArrayProperty("rest.properties.exposed");
     }
 
-    protected String[] getAdminRestrictedProperties() {
+    protected String[] getAdminExposedProperties() {
         return configurationService.getArrayProperty("admin.rest.properties.exposed");
     }
 
@@ -70,8 +70,10 @@ public PropertyRest findOne(Context context, String property) {
         List<String> adminRestrictedProperties = Arrays.asList(getAdminRestrictedProperties());
 
         if (!configurationService.hasProperty(property) ||
-            (adminRestrictedProperties.contains(property) && !isCurrentUserAdmin(context)) ||
-            (!exposedProperties.contains(property) && !isCurrentUserAdmin(context))) {
+            (
+                !exposedProperties.contains(property) &&
+                (!isCurrentUserAdmin(context) || !adminExposedProperties.contains(property))
+            )) {
             throw new ResourceNotFoundException("No such configuration property: " + property);
         }
 

From 01e9a41dd03a8662700506aca8cb9d298ad88ea3 Mon Sep 17 00:00:00 2001
From: Sascha Szott <szott@gmx.de>
Date: Fri, 23 Jan 2026 12:41:50 +0100
Subject: [PATCH 2/2] Update findOne method to use adminExposedProperties

---
 .../dspace/app/rest/repository/ConfigurationRestRepository.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
index a8cdc58cd9ec..029888a7cc00 100644
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
@@ -67,7 +67,7 @@ protected String[] getAdminExposedProperties() {
     @PreAuthorize("permitAll()")
     public PropertyRest findOne(Context context, String property) {
         List<String> exposedProperties = Arrays.asList(getExposedProperties());
-        List<String> adminRestrictedProperties = Arrays.asList(getAdminRestrictedProperties());
+        List<String> adminExposedProperties = Arrays.asList(getAdminExposedProperties());
 
         if (!configurationService.hasProperty(property) ||
             (