[NXP-24135] REST API should be improved such that a user can view a Document with references to documents they do not have permission to view - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 9.10
Fix Version/s: 9.10-HF03, 10.2
Component/s: Rest API

Release Notes Summary:
The REST API allows a user to view an authorized document when it contains a reference to an unauthorized document.
Tags:
- SupCom
- nextFT
- nxcore
Backlog priority:
900
Sprint:
nxcore 10.1.6
Story Points:
3

Description

If a more privileged user adds documents via the nuxeo-document-suggestion widget while creating or editing a document and then a less privileged user views the 'parent' document, an exception is thrown and the user is unable to proceed.

Ideally, the less-privileged user will be able to open the parent document and the field with references to other documents will display a 'filtered' list of documents they have 'READ' permission for.

Steps to reproduce

Log In as Administrator
Edit a document any user can view with a field using nuxeo-document-suggestion, select 1 or more documents that basic users do not have access to view
Log in as a basic user and view the origin document that was just edited
500 error is displayed.

Error in the logs

2018-03-01 14:35:39,443 ERROR [NuxeoRequestControllerFilter] remote=10.213.3.23,principal=jdoe,uri=/nuxeo/site/api/v1/path/default-domain/workspaces/Espace/Project,session=D8FA709109937F2C422F3322B1B60D89.nuxeo,thread=http-nio-0.0.0.0-8080-exec-6,info=Unhandled error was caught by the Filter
org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'jdoe'
	at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:215)
	at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:946)
	at org.nuxeo.ecm.core.model.DocumentModelResolver.fetch(DocumentModelResolver.java:181)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.fetchProperty(DocumentPropertyJsonWriter.java:147)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.writeScalarProperty(DocumentPropertyJsonWriter.java:106)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.writeProperty(DocumentPropertyJsonWriter.java:91)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.write(DocumentPropertyJsonWriter.java:85)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentPropertyJsonWriter.write(DocumentPropertyJsonWriter.java:78)
	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:76)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeSchemaProperties(DocumentModelJsonWriter.java:213)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeEntityBody(DocumentModelJsonWriter.java:176)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeEntityBody(DocumentModelJsonWriter.java:107)
	at org.nuxeo.ecm.core.io.marshallers.json.ExtensibleEntityJsonWriter.write(ExtensibleEntityJsonWriter.java:79)
	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:76)

...
2018-03-01 14:35:39,486 ERROR [DefaultNuxeoExceptionHandler] Cannot forward to error page: response is already committed

Attachments

Activity

People

Assignee:

Luis Duarte

Reporter:

Jackie Aldama

Participants:

Guillaume Renard, Jackie Aldama, Jenkins, Luis Duarte

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2018-01-09 22:52

Updated:

2018-03-14 21:01

Resolved:

2018-03-12 12:19

Time Tracking

Estimated:

Remaining:

Logged: