Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30578

Fix READ ACLS computation on versions after a permission change

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF55, 2021.12
    • Component/s: Core VCS
    • Release Notes Summary:
      Read ACL for all versions of children are recomputed after a permission change.
    • Backlog priority:
      775
    • Upgrade notes:
      Hide

      During an ACL update of a folder, Read ACL are materialized on children documents for search optimization, this is done on different backends (Mongo, PostgreSQL).
      The current fix is also recomputing Read ACL for all versions of children, this means more queries and database updates, which certainly impacts the performance during massive ACL updates.

      Show
      During an ACL update of a folder, Read ACL are materialized on children documents for search optimization, this is done on different backends (Mongo, PostgreSQL). The current fix is also recomputing Read ACL for all versions of children, this means more queries and database updates, which certainly impacts the performance during massive ACL updates.
    • Sprint:
      nxplatform #45, nxplatform #46, nxplatform #47, nxplatform #48, nxplatform #49
    • Story Points:
      0

      Description

      Pre-requisite :

      Steps to reproduce:

      1. create a Workspace under /default-domain/workspaces and grant Write permission to userA
      2. as UserA, create a Versionable Folder and inside a regular Folder
      3. call this command to snapshot the Versionable Folder
        curl -X POST 'http://localhost:8080/nuxeo/site/automation/Document.CreateTreeSnapshot' -H 'Nuxeo-Transaction-Timeout: 3' -H 'X-NXproperties: *' -H 'X-NXRepository: default' -H 'X-NXVoidOperation: false' -H 'content-type: application/json' -d '{"params":{},"input":"/default-domain/workspaces/workspace/snapfolder","context":{}}' -u userA:<PASSWORD>
        
      4. grant Read permission to userB on the Versionable Folder
      5. as userB, run a NXQL query (disable Elasticsearch if needed) to find the versions
        select * from Document where ecm:isVersion=1
      6. observe that the query does not return any result

      If the READ ACLs are built with "select nx_rebuild_read_acls()", then the results are displayed as expected

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.