Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-29791

Forbid deletion of the main blob of a document under retention / legal hold

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF35, 11.4, 2021.0
    • Component/s: Retention
    • Release Notes Summary:
      The deletion of the main blob of a document under retention is forbidden.
    • Tags:
    • Backlog priority:
      900
    • Sprint:
      nxApps 2020 Cycle 10, nxApps 2020 Cycle 11

      Description

      REST PUT Document API can alter the file:content property even in LegalHold and Retention statuses

      Configure an instance with Nuxeo 10.10-HF33 + nuxeo-web-ui + nuxeo-retention

      1. create a File document and attach a binary to it
      2. take the ID of the document to change it in the script below (a7b1a117-531e-41f9-af29-adb65ce19830 in the example, and also adapt the dc:title)
      3. invoke the script
        curl -H 'Content-Type:application/json+nxrequest' -X POST -d '{"params":{},"context":{}}' -u Administrator:Administrator http://localhost:8080/nuxeo/api/v1/automation/JsonStack.ToggleDisplay
        
        curl -v -u Administrator:Administrator -X PUT -d '
            {
                    "entity-type": "document",
                    "uid": "a7b1a117-531e-41f9-af29-adb65ce19830",
                    "properties": {
                        "file:content": { "name": "Break file.png" },
        		"dc:title": "Support"
                    }
            }
        ' -H "Accept: application/json" -H "Content-Type: application/json" -H "properties: dublincore, file" http://localhost:8080/nuxeo/api/v1/id/a7b1a117-531e-41f9-af29-adb65ce19830
        
        curl -H 'Content-Type:application/json+nxrequest' -X POST -d '{"params":{},"context":{}}' -u Administrator:Administrator http://localhost:8080/nuxeo/api/v1/automation/JsonStack.ToggleDisplay
        
      4. refresh the WebUI page for the document: the binary should have disappeared from the document -> the script works
      5. add back the binary to the same File document
      6. put the document under LegalHold state and watch the black bar in the WebUI screen indicating this status
      7. invoke the previous script again
      8. refresh the WebUI page for the document: the binary has again disappeared from the document although its status is LegalHold
        In the output of the script above, you can witness that:
        "isRecord":true,"retainUntil":null,"hasLegalHold":true,"isUnderRetentionOrLegalHold":true

      This issue is reported both for LegalHold and Retention states.

      Expected result: a document in LegalHold state should not be altered including file:content as stated in https://doc.nuxeo.com/nxdoc/nuxeo-retention-technical-overview/

      If a legal hold is applied to a document or if a retention rule is applied to a document, then:
      Modification of the main blob (file:content) is prevented: this includes modification through restoring an older version.
      [...]
      This applies in all situations, no exception, including for Administrators.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours
                  3h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.