Affects Version/s: 8.10, 9.10, 10.10, 11.1
When a page provider is configured with the useUnrestrictedSession property in its XML contribution, or this property is added in java code at calling time, and the page provider is added to configuration variable elasticsearch.override.pageproviders in order to use elasticsearch, it still checks permissions when querying elasticsearch, it should not as it is configured to use an unrestricted session.
- In Studio create a XML extension with the follwoing XML:
- add unrestricted_pp to configuration variable elasticsearch.override.pageproviders in nuxeo.conf file
- deploy and start the Nuxeo Platform
- log in as Administrator and create a new user user1
- create workspace /default-domain/workspaces/ws1
- in the workspace:
- create a File document named File1 and block its permissions inheritance
- create a second File document name File2, block its permissions inheritance and add Read access to user user1
- execute the page provider using the REST API with user1 credentials using command curl -u user1:user1 -H 'application/json' http://localhost:8080/nuxeo/api/v1/search/pp/unrestricted_pp/execute
the result JSON contains 2 documents, File1 and File2.
the result JSON contains only 1 document, File1.
See below a sample curl command sent by the Nuxeo Platform when executing page provider GET_TASKS_FOR_PROCESS with the unrestricted session flag:
You can see that the query still contains a filter on ecm:acl.