-
Type:
Bug
-
Status: Open
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: 10.10
-
Fix Version/s: None
-
Component/s: Core VCS, Query & PageProvider, Security
-
Environment:H2DB
-
Sprint:nxFG 11.1.10, nxFG 11.1.11, nxFG 11.1.12, nxFG 11.1.13
Hello,
we are working on a custom security policy and we had to enrich the queries to apply security restrictions like:
Given that the current user is member of X groups,
We are searching for document from the original query that in addition are filtered by
not having the facet CustomDocument
have the confidentiality level C1
have the confidentiality level C2 and the groups of the current user is referenced in any of the following document properties: recipients entities, authors entities, publisher entity
have the confidentiality level C3 and the user is referenced in any of following document properties recipient, author, creator
When we run the previously defined policy it in local (h2db) we have a nullpointer coming from how nuxeo generates SQL queries based upon the NXQL AST.
The failing query is something like:
SELECT * FROM Document WHERE ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf')
if you add the security predicates it would look to something like:
SELECT * FROM Document WHERE ecm:mixinType <> 'CustomDocument' AND ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf') OR confidentiality:confidentialityLevel = 'C1' AND ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf') OR confidentiality:confidentialityLevel = 'C2' AND (ent:authorsEntities in ('ENT_X') OR ent:publisherEntity in ('ENT_X') OR ent:recipientEntities in ('ENT_X')) AND ecm:isProxy = 1 AND (rend:sourceVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf' OR ecm:proxyVersionableId = '06675086-56f5-4ca0-a40b-eb5bcf6f49bf')
To bypass the nullpointer I added some code that do not apply the security policy when the WHERE condition predicate has a first Operand checking the ecm:isProxy property and it works (for now).
Caused by: java.lang.NullPointerException at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.getSpecialColumnInfo(NXQLQueryMaker.java:1703) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?] at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.getColumnInfo(NXQLQueryMaker.java:1720) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?] at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.visitExpression(NXQLQueryMaker.java:1908) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?] at org.nuxeo.ecm.core.query.sql.model.Expression.accept(Expression.java:52) ~[nuxeo-core-query-10.10-HF10.jar:?] at org.nuxeo.ecm.core.query.sql.model.DefaultQueryVisitor.visitExpression(DefaultQueryVisitor.java:103) ~[nuxeo-core-query-10.10-HF10.jar:?] at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.visitExpression(NXQLQueryMaker.java:1950) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?] at org.nuxeo.ecm.core.query.sql.model.Expression.accept(Expression.java:52) ~[nuxeo-core-query-10.10-HF10.jar:?] at org.nuxeo.ecm.core.query.sql.model.DefaultQueryVisitor.visitExpression(DefaultQueryVisitor.java:103) ~[nuxeo-core-query-10.10-HF10.jar:?] at org.nuxeo.ecm.core.storage.sql.jdbc.NXQLQueryMaker$WhereBuilder.visitExpression(NXQLQueryMaker.java:1950) ~[nuxeo-core-storage-sql-10.10-HF10.jar:?] at org.nuxeo.ecm.core.query.sql.model.Expression.accept(Expression.java:52) ~[nuxeo-core-query-10.10-HF10.jar:?]