Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-11617

Apply security policies not just for NXQL (CMISQL)

    XMLWordPrintable

    Details

    • Impact type:
      API change
    • Upgrade notes:
      Hide

      New APIs that must be implemented in order for CMIS queries to be executed with nontrivial security policies:

      • SecurityPolicy.isExpressibleInQuery(String repositoryName, String queryLanguage) -> boolean
      • SecurityPolicy.getQueryTransformer(String repositoryName, String queryLanguage) -> QueryTransformer
      • QueryTransformer.transform(Principal principal, String query) -> String
      Show
      New APIs that must be implemented in order for CMIS queries to be executed with nontrivial security policies: SecurityPolicy.isExpressibleInQuery(String repositoryName, String queryLanguage) -> boolean SecurityPolicy.getQueryTransformer(String repositoryName, String queryLanguage) -> QueryTransformer QueryTransformer.transform(Principal principal, String query) -> String

      Description

      The CMISQLQueryMaker does not currently apply security policy query transformers. This is a security hole that allows CMIS clients to retrieve documents they should be prevented from accessing.

      Currently, the Security Policy Query Transformers only support NXQL. They should be enhanced to also support CMISQL. In addition, the CMISQLQueryMaker must be enhanced to apply these new CMISQL Security Policy Query Transformers.

      WORKAROUND: Until this issue is resolved, the CMIS endpoints should be deactivated for projects that use security policies.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.