Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26683

Fix rendition download to use proper reason/rendition in permission check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.10
    • Fix Version/s: 9.10-HF27, 10.10-HF01, 11.1
    • Component/s: Core
    • Release Notes Summary:
      The download reason for Renditions is provided in the permission check.
    • Backlog priority:
      500
    • Sprint:
      nxFG 11.1.1
    • Story Points:
      2

      Description

      Extension point permissions of download service allows to restrict the downloads of a document's blob(s) based on a context provided to a javascript run() function.

      When downloading renditions (e.g. mainBlob, xmlExport, ...), the context variable Rendition is always null, according to our documentation https://doc.nuxeo.com/910/nxdoc/file-download-security-policies/, it should contain the name of the rendition. Also, the context variable Reason is download, shouldn't it be rendition as also mentioned in our documentation?

      How to reproduce:

      • in Studio Modeler, create a new XML extension with this code:
           <extension target="org.nuxeo.ecm.core.io.download.DownloadService" point="permissions">
            <permission name="myperm">
              <script language="JavaScript">
                function run() {
                  var allow = true;
                  print("Document's UUID: " + (Document == null ? "null" : Document.getId()));
                  print("Blob filename: " + (Blob == null ? "null" : Blob.getFilename()));
                  print("XPath: " + XPath);
                  print("CurrentUser's name: " + CurrentUser.getName());
                  print("Reason: " + Reason);
                  print("Rendition: " + Rendition);
                  print("===");
                  return allow;
                }
              </script>
            </permission>
          </extension>
        
      • deploy the Studio project and start the Nuxeo Platform with command nuxeoctl console
      • log in the JSF UI and get the XML export of a document (or use the REST API rendition endpoint as the Web UI does)

      Expected result: the following output is produced in the terminal:

      Document's UUID: null
      Blob filename: document.xml
      XPath: null
      CurrentUser's name: Administrator
      Reason: rendition
      Rendition: xmlExport
      

      Actual result: the following output is produced in the terminal:

      Document's UUID: null
      Blob filename: document.xml
      XPath: null
      CurrentUser's name: Administrator
      Reason: download
      Rendition: null
      

      And in a use case like only allowing the preview of the Picture documents and blocking the download of the main blob in the Web UI, it is impossible to block the rendition mainBlob.

      Here is another example: retrieving the picture view FullHD using the REST API endpoint rendition with URL api/v1/path/default-domain/workspaces/ws1/San_Francisco_Bay_Area.j/@rendition/FullHD, here is the log generated in the console:

      Document's UUID: null
      Blob filename: FullHD_San_Francisco_Bay_Area.jpg
      XPath: null
      CurrentUser's name: Administrator
      Reason: download
      Rendition: null
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.