[NXP-29791] Forbid deletion of the main blob of a document under retention / legal hold - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.10
Fix Version/s: 10.10-HF35, 11.4, 2021.0
Component/s: Retention

Release Notes Summary:
The deletion of the main blob of a document under retention is forbidden.
Tags:
- SupCom
- nxFG
Backlog priority:
900
Sprint:
nxApps 2020 Cycle 10, nxApps 2020 Cycle 11

Description

REST PUT Document API can alter the file:content property even in LegalHold and Retention statuses

Configure an instance with Nuxeo 10.10-HF33 + nuxeo-web-ui + nuxeo-retention

create a File document and attach a binary to it
take the ID of the document to change it in the script below (a7b1a117-531e-41f9-af29-adb65ce19830 in the example, and also adapt the dc:title)

invoke the script

curl -H 'Content-Type:application/json+nxrequest' -X POST -d '{"params":{},"context":{}}' -u Administrator:Administrator http://localhost:8080/nuxeo/api/v1/automation/JsonStack.ToggleDisplay

curl -v -u Administrator:Administrator -X PUT -d '
    {
            "entity-type": "document",
            "uid": "a7b1a117-531e-41f9-af29-adb65ce19830",
            "properties": {
                "file:content": { "name": "Break file.png" },
		"dc:title": "Support"
            }
    }
' -H "Accept: application/json" -H "Content-Type: application/json" -H "properties: dublincore, file" http://localhost:8080/nuxeo/api/v1/id/a7b1a117-531e-41f9-af29-adb65ce19830

curl -H 'Content-Type:application/json+nxrequest' -X POST -d '{"params":{},"context":{}}' -u Administrator:Administrator http://localhost:8080/nuxeo/api/v1/automation/JsonStack.ToggleDisplay

refresh the WebUI page for the document: the binary should have disappeared from the document -> the script works
add back the binary to the same File document
put the document under LegalHold state and watch the black bar in the WebUI screen indicating this status
invoke the previous script again
refresh the WebUI page for the document: the binary has again disappeared from the document although its status is LegalHold
In the output of the script above, you can witness that:
```
"isRecord":true,"retainUntil":null,"hasLegalHold":true,"isUnderRetentionOrLegalHold":true
```

This issue is reported both for LegalHold and Retention states.

Expected result: a document in LegalHold state should not be altered including file:content as stated in https://doc.nuxeo.com/nxdoc/nuxeo-retention-technical-overview/

If a legal hold is applied to a document or if a retention rule is applied to a document, then:
Modification of the main blob (file:content) is prevented: this includes modification through restoring an older version.
[...]
This applies in all situations, no exception, including for Administrators.