-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 8.10, 9.10, 10.10, 11.1
-
Fix Version/s: 8.10-HF42, 9.10-HF26, 10.10-HF01, 11.1, 2021.0
-
Component/s: Elasticsearch, Query & PageProvider
When a page provider is configured with the useUnrestrictedSession property in its XML contribution, or this property is added in java code at calling time, and the page provider is added to configuration variable elasticsearch.override.pageproviders in order to use elasticsearch, it still checks permissions when querying elasticsearch, it should not as it is configured to use an unrestricted session.
How to reproduce:
- In Studio create a XML extension with the follwoing XML:
<extension point="providers" target="org.nuxeo.ecm.platform.query.api.PageProviderService"> <coreQueryPageProvider name="unrestricted_pp"> <pattern> SELECT * FROM Document WHERE ecm:path STARTSWITH '/default-domain/workspaces/ws1' AND ecm:currentLifeCycleState != 'deleted' </pattern> <property name="useUnrestrictedSession">true</property> </coreQueryPageProvider> </extension>
- add unrestricted_pp to configuration variable elasticsearch.override.pageproviders in nuxeo.conf file
- deploy and start the Nuxeo Platform
- log in as Administrator and create a new user user1
- create workspace /default-domain/workspaces/ws1
- in the workspace:
- create a File document named File1 and block its permissions inheritance
- create a second File document name File2, block its permissions inheritance and add Read access to user user1
- execute the page provider using the REST API with user1 credentials using command curl -u user1:user1 -H 'application/json' http://localhost:8080/nuxeo/api/v1/search/pp/unrestricted_pp/execute
Expected result: the result JSON contains 2 documents, File1 and File2.
Actual result: the result JSON contains only 1 document, File1.
See below a sample curl command sent by the Nuxeo Platform when executing page provider GET_TASKS_FOR_PROCESS with the unrestricted session flag:
curl -XGET 'http://elasticsearch:9200/nuxeo/doc/_search?pretty&search_type=dfs_query_then_fetch' -d '{ "from" : 0, "size" : 10000, "query" : { "bool" : { "must" : [ { "bool" : { "must" : [ { "constant_score" : { "filter" : { "term" : { "ecm:mixinType" : { "value" : "Task", "boost" : 1.0 } } }, "boost" : 1.0 } }, { "constant_score" : { "filter" : { "bool" : { "must_not" : [ { "terms" : { "ecm:currentLifeCycleState" : [ "ended", "cancelled" ], "boost" : 1.0 } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } }, "boost" : 1.0 } }, { "constant_score" : { "filter" : { "term" : { "ecm:isProxy" : { "value" : "0", "boost" : 1.0 } } }, "boost" : 1.0 } }, { "constant_score" : { "filter" : { "term" : { "nt:processId" : { "value" : "ba5e7758-61c2-44b8-8e5b-820b82749d5b", "boost" : 1.0 } } }, "boost" : 1.0 } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } } ], "filter" : [ { "bool" : { "must" : [ { "terms" : { "ecm:acl" : [ "SUPNXP-24249", "grp1", "members", "vdu1", "Everyone" ], "boost" : 1.0 } } ], "must_not" : [ { "terms" : { "ecm:acl" : [ "_UNSUPPORTED_ACL_" ], "boost" : 1.0 } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } }, "_source" : { "includes" : [ "_id" ], "excludes" : [ ] } } '
You can see that the query still contains a filter on ecm:acl.
