[NXP-30417] Check immediate parent when emptying trash - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 10.10
Fix Version/s: 10.10-HF49, 11.x, 2021.4
Component/s: Core

Release Notes Summary:
Permissions on parent are checked before purging the trash.
Tags:
- SupCom
- nxplatform
Backlog priority:
750
Sprint:
nxplatform #36
Story Points:
5

Description

The 'Empty Trash' button triggers the EmptyTrash operation which triggers the purgeDocumentsUnder method of the AbstractTrashService. The method takes the document from which children are being removed. The method checks to see if the caller has access – but it checks it on the parent of the document, not the document itself.

The check should be on the document, not the parent, i.e.

if (!session.hasPermission(parent.getRef(), SecurityConstants.REMOVE_CHILDREN)) {
            return;
}

Attachments

Issue Links

is required by

NXP-29722 Fix EmptyTrash operation not deleting documents for users granted with the Everything permission

Resolved

Is referenced in

(1 Is referenced in)

Activity

People

Assignee:

Thomas Roger

Reporter:

Harlan Brown

Participants:

Harlan Brown, Jenkins, Support Tech User, Thomas Roger

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2021-05-18 19:18

Updated:

2021-09-09 13:07

Resolved:

2021-06-08 08:55