Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26604

Fix page provider with unrestricted session property when overriden to use elasticsearch

    XMLWordPrintable

    Details

    • Release Notes Summary:
      Page providers using Elasticsearch are correctly run in an unrestricted session.
    • Tags:
    • Backlog priority:
      600
    • Sprint:
      nxcore 11.1.1
    • Story Points:
      3

      Description

      When a page provider is configured with the useUnrestrictedSession property in its XML contribution, or this property is added in java code at calling time, and the page provider is added to configuration variable elasticsearch.override.pageproviders in order to use elasticsearch, it still checks permissions when querying elasticsearch, it should not as it is configured to use an unrestricted session.

      How to reproduce:

      • In Studio create a XML extension with the follwoing XML:
        <extension point="providers" target="org.nuxeo.ecm.platform.query.api.PageProviderService">
        
            <coreQueryPageProvider name="unrestricted_pp">
              <pattern>
                SELECT * FROM Document WHERE ecm:path STARTSWITH '/default-domain/workspaces/ws1' AND ecm:currentLifeCycleState != 'deleted'
              </pattern>
              <property name="useUnrestrictedSession">true</property>
            </coreQueryPageProvider>
        
          </extension>
        
      • add unrestricted_pp to configuration variable elasticsearch.override.pageproviders in nuxeo.conf file
      • deploy and start the Nuxeo Platform
      • log in as Administrator and create a new user user1
      • create workspace /default-domain/workspaces/ws1
      • in the workspace:
        • create a File document named File1 and block its permissions inheritance
        • create a second File document name File2, block its permissions inheritance and add Read access to user user1
      • execute the page provider using the REST API with user1 credentials using command curl -u user1:user1 -H 'application/json' http://localhost:8080/nuxeo/api/v1/search/pp/unrestricted_pp/execute

      Expected result: the result JSON contains 2 documents, File1 and File2.
      Actual result: the result JSON contains only 1 document, File1.

      See below a sample curl command sent by the Nuxeo Platform when executing page provider GET_TASKS_FOR_PROCESS with the unrestricted session flag:

      curl -XGET 'http://elasticsearch:9200/nuxeo/doc/_search?pretty&search_type=dfs_query_then_fetch' -d '{
        "from" : 0,
        "size" : 10000,
        "query" : {
          "bool" : {
            "must" : [
              {
                "bool" : {
                  "must" : [
                    {
                      "constant_score" : {
                        "filter" : {
                          "term" : {
                            "ecm:mixinType" : {
                              "value" : "Task",
                              "boost" : 1.0
                            }
                          }
                        },
                        "boost" : 1.0
                      }
                    },
                    {
                      "constant_score" : {
                        "filter" : {
                          "bool" : {
                            "must_not" : [
                              {
                                "terms" : {
                                  "ecm:currentLifeCycleState" : [
                                    "ended",
                                    "cancelled"
                                  ],
                                  "boost" : 1.0
                                }
                              }
                            ],
                            "disable_coord" : false,
                            "adjust_pure_negative" : true,
                            "boost" : 1.0
                          }
                        },
                        "boost" : 1.0
                      }
                    },
                    {
                      "constant_score" : {
                        "filter" : {
                          "term" : {
                            "ecm:isProxy" : {
                              "value" : "0",
                              "boost" : 1.0
                            }
                          }
                        },
                        "boost" : 1.0
                      }
                    },
                    {
                      "constant_score" : {
                        "filter" : {
                          "term" : {
                            "nt:processId" : {
                              "value" : "ba5e7758-61c2-44b8-8e5b-820b82749d5b",
                              "boost" : 1.0
                            }
                          }
                        },
                        "boost" : 1.0
                      }
                    }
                  ],
                  "disable_coord" : false,
                  "adjust_pure_negative" : true,
                  "boost" : 1.0
                }
              }
            ],
            "filter" : [
              {
                "bool" : {
                  "must" : [
                    {
                      "terms" : {
                        "ecm:acl" : [
                          "SUPNXP-24249",
                          "grp1",
                          "members",
                          "vdu1",
                          "Everyone"
                        ],
                        "boost" : 1.0
                      }
                    }
                  ],
                  "must_not" : [
                    {
                      "terms" : {
                        "ecm:acl" : [
                          "_UNSUPPORTED_ACL_"
                        ],
                        "boost" : 1.0
                      }
                    }
                  ],
                  "disable_coord" : false,
                  "adjust_pure_negative" : true,
                  "boost" : 1.0
                }
              }
            ],
            "disable_coord" : false,
            "adjust_pure_negative" : true,
            "boost" : 1.0
          }
        },
        "_source" : {
          "includes" : [
            "_id"
          ],
          "excludes" : [ ]
        }
      }
      '
      

      You can see that the query still contains a filter on ecm:acl.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.