Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30661

Fix DBSSession calling DeletionAction as non SYSTEM user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2021.11
    • Component/s: Core DBS
    • Tags:
    • Upgrade notes:
      Hide

      Deletion BAF Action now runs with SYSTEM_USERNAME

      Show
      Deletion BAF Action now runs with SYSTEM_USERNAME
    • Team:
      PLATFORM
    • Sprint:
      nxplatform #46, nxplatform #47

      Description

      org.nuxeo.ecm.core.storage.dbs.DBSSession#remove launches the DeletionAction BAF action to perform the db deletion of descendants of a folderish document being removed.

      The problem is that we pass the current session's principal to run the action which will just skip the deletion of the document on which the current user does not have READ permission granted.

      Typical Scenario

      A given user has the REMOVE permission on document A but has permission blocked on descendant document B. If the user deletes doc A, the doc B will remain in DB as an orphan (i.e. ancestors does not exist anymore)

      We must run the DeletionAction as SYSTEM_USER

        Attachments

          Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. NXP-25316 BAF: Use computation deletion in current API for DBS

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 2021: #269 PR for 2021: #269

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: