-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 7.10-HF20
-
Component/s: Security / Rights
-
Backlog priority:700
-
Sprint:nxcore 9.1.3
-
Story Points:3
A bug caused some permissions to have null name.
The permission check in LTS2015 and onward in ACE#equals line 305 raise a NPE if the permission label is null:
Caused by: java.lang.NullPointerException at org.nuxeo.ecm.core.api.security.ACE.equals(ACE.java:305) at java.util.ArrayList.indexOf(ArrayList.java:317) at java.util.ArrayList.contains(ArrayList.java:300) at org.nuxeo.ecm.core.api.security.impl.ACLImpl.add(ACLImpl.java:132) at org.nuxeo.ecm.core.storage.sql.coremodel.SQLSession.aclRowsToACP(SQLSession.java:761) at org.nuxeo.ecm.core.storage.sql.coremodel.SQLSession.getACP(SQLSession.java:740) at org.nuxeo.ecm.core.storage.sql.coremodel.SQLSession.getMergedACP(SQLSession.java:712) at org.nuxeo.ecm.core.security.SecurityService.checkPermission(SecurityService.java:134) at org.nuxeo.ecm.core.api.AbstractSession.hasPermission(AbstractSession.java:314) at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:204) at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:948) at org.nuxeo.drive.service.impl.NuxeoDriveManagerImpl.queryAndFetchSynchronizationRoots(NuxeoDriveManagerImpl.java:475)
breaks any API checking for permissions, such as the one used by drive (GetChangeSummary etc.).
As null permission are not enforced in the DB, we need to check if the permission name is not null, log a warning and return false instead.
