Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30678

Retention: context parameter permissions are empty for an admin user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: ADDONS_10.10, ADDONS_2021
    • Fix Version/s: 10.10-HF54, 2021.12
    • Component/s: Retention

      Description

      A regression was introduced by NXP-30342 with this commit

      The remove on the permissions list (when the doc is under retention or legal hold and the current user is admin) produced a silent exception:

      java.lang.UnsupportedOperationException: remove
	at java.util.Iterator.remove(Iterator.java:102) ~[?:?]
	at java.util.AbstractCollection.remove(AbstractCollection.java:299) ~[?:?]
	at org.nuxeo.ecm.core.security.SecurityService.filterGrantedPermissions(SecurityService.java:162) ~[main/:?]
	at org.nuxeo.ecm.core.api.AbstractSession.filterGrantedPermissions(AbstractSession.java:329) ~[main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.BasePermissionsJsonEnricher.getPermissionsInSession(BasePermissionsJsonEnricher.java:87) ~[main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.BasePermissionsJsonEnricher.write(BasePermissionsJsonEnricher.java:76) ~[main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.BasePermissionsJsonEnricher.write(BasePermissionsJsonEnricher.java:1) ~[main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.AbstractJsonEnricher.write(AbstractJsonEnricher.java:70) [main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.AbstractJsonEnricher.write(AbstractJsonEnricher.java:1) [main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:81) [main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.ExtensibleEntityJsonWriter.write(ExtensibleEntityJsonWriter.java:106) [main/:?]
	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:81) [main/:?]
	at org.nuxeo.ecm.webengine.jaxrs.coreiodelegate.PartialCoreIODelegate.writeTo(PartialCoreIODelegate.java:113) [classes/:?]
	at com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse.java:302) [jersey-server-1.19.4.jar:1.19.4]
	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1510) [jersey-server-1.19.4.jar:1.19.4]
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) [jersey-server-1.19.4.jar:1.19.4]
	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) [jersey-server-1.19.4.jar:1.19.4]
	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) [jersey-servlet-1.19.4.jar:1.19.4]
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558) [jersey-servlet-1.19.4.jar:1.19.4]
	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733) [jersey-servlet-1.19.4.jar:1.19.4]
	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.containerService(WebEngineServlet.java:62) [classes/:?]
	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.service(WebEngineServlet.java:46) [classes/:?]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.platform.web.common.RequestContextFilter.doFilter(RequestContextFilter.java:44) [main/:?]
	at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.webengine.jaxrs.session.SessionCleanupFilter.run(SessionCleanupFilter.java:50) [classes/:?]
	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:49) [classes/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.webengine.app.WebContextFilter.doFilter(WebContextFilter.java:57) [classes/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:139) [main/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.webengine.app.HeaderFixFilter.run(HeaderFixFilter.java:62) [classes/:?]
	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:49) [classes/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:543) [main/:?]
	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:346) [main/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter(NuxeoExceptionFilter.java:40) [main/:?]
	at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.nuxeo.ecm.core.management.jtajca.internal.Log4jWebFilter.doFilter(Log4jWebFilter.java:69) [main/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [tomcat-catalina-9.0.54.jar:9.0.54]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) [tomcat-coyote-9.0.54.jar:9.0.54]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote-9.0.54.jar:9.0.54]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895) [tomcat-coyote-9.0.54.jar:9.0.54]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1722) [tomcat-coyote-9.0.54.jar:9.0.54]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.54.jar:9.0.54]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util-9.0.54.jar:9.0.54]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util-9.0.54.jar:9.0.54]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.54.jar:9.0.54]
	at java.lang.Thread.run(Thread.java:829) [?:?]

      The exception itself is caused by the upper caller BasePermissionsJsonEnricher which passes an array of permissions to the SecurityService as a list using the java.util.Arrays.asList helper (which returns a fixed-size list backed by the specified array). As a direct result, the add or remove method is not available on such list implementation and produces this UnsupportedOperationException.

      This exception could not be seen/detected because the implemented abstract class by the JSON enricher catches any exceptions to log them at INFO level (logging level not enabled by default). Global Exception catching without proper handling has never been a good idea/pattern but, in this particular case, we can't really rethrow any kind of errors without introducing a breaking change.

      The minimum would be to log a WARN if not an ERROR.

      Steps to reproduce:

      • Admin user creates a document
      • Admin user applies a Retention Rule to the document
      • Admin user doesn't see button to Extend Retention Period

      Expected Outcome:

      • Admin user clicks the Extend Retention Period and picks a later date on Date Picker
      • The document's Retention Period is extended

        Attachments

          Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. NXP-30846 Fix ACLS enricher on document property

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. NXP-30342 Allow for granted users to delete and trash content under retention or legal hold

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. NXP-30675 Creator of document isn't able to remove Legal hold

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-31412 Fix enricher errors (traced as warn)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NXP-30964 Fix WARN in RenditionJsonEnricher

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Clean up - NXP-30742 Clean up json enrichers to do not produce warn logs

          • Major - Major loss of function.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10.10: #4977 PR for 10.10: #4977

          [Captain Hook] PR for 2021: #285 PR for 2021: #285

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: