Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26683

Fix rendition download to use proper reason/rendition in permission check

    XMLWordPrintable

    Details

    • Release Notes Summary:
      The download reason for Renditions is provided in the permission check.
    • Tags:
    • Backlog priority:
      500
    • Sprint:
      nxFG 11.1.1
    • Story Points:
      2

      Description

      Extension point permissions of download service allows to restrict the downloads of a document's blob(s) based on a context provided to a javascript run() function.

      When downloading renditions (e.g. mainBlob, xmlExport, ...), the context variable Rendition is always null, according to our documentation https://doc.nuxeo.com/910/nxdoc/file-download-security-policies/, it should contain the name of the rendition. Also, the context variable Reason is download, shouldn't it be rendition as also mentioned in our documentation?

      How to reproduce:

      • in Studio Modeler, create a new XML extension with this code: 
           <extension target="org.nuxeo.ecm.core.io.download.DownloadService" point="permissions">
    <permission name="myperm">
      <script language="JavaScript">
        function run() {
          var allow = true;
          print("Document's UUID: " + (Document == null ? "null" : Document.getId()));
          print("Blob filename: " + (Blob == null ? "null" : Blob.getFilename()));
          print("XPath: " + XPath);
          print("CurrentUser's name: " + CurrentUser.getName());
          print("Reason: " + Reason);
          print("Rendition: " + Rendition);
          print("===");
          return allow;
        }
      </script>
    </permission>
  </extension>
      • deploy the Studio project and start the Nuxeo Platform with command nuxeoctl console
      • log in the JSF UI and get the XML export of a document (or use the REST API rendition endpoint as the Web UI does)

      Expected result: the following output is produced in the terminal:

      Document's UUID: null
Blob filename: document.xml
XPath: null
CurrentUser's name: Administrator
Reason: rendition
Rendition: xmlExport

      Actual result: the following output is produced in the terminal:

      Document's UUID: null
Blob filename: document.xml
XPath: null
CurrentUser's name: Administrator
Reason: download
Rendition: null

      And in a use case like only allowing the preview of the Picture documents and blocking the download of the main blob in the Web UI, it is impossible to block the rendition mainBlob.

      Here is another example: retrieving the picture view FullHD using the REST API endpoint rendition with URL api/v1/path/default-domain/workspaces/ws1/San_Francisco_Bay_Area.j/@rendition/FullHD, here is the log generated in the console:

      Document's UUID: null
Blob filename: FullHD_San_Francisco_Bay_Area.jpg
XPath: null
CurrentUser's name: Administrator
Reason: download
Rendition: null

        Attachments

          Issue Links

          is required by

          Bug - A problem which impairs or prevents the functions of the product. NXP-31166 Fix download context for renditions

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h