Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30661

Fix DBSSession calling DeletionAction as non SYSTEM user

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2021.11
    • Component/s: Core DBS
    • Upgrade notes:
      Hide

      Deletion BAF Action now runs with SYSTEM_USERNAME

      Show
      Deletion BAF Action now runs with SYSTEM_USERNAME
    • Team:
      PLATFORM
    • Sprint:
      nxplatform #46, nxplatform #47

      Description

      org.nuxeo.ecm.core.storage.dbs.DBSSession#remove launches the DeletionAction BAF action to perform the db deletion of descendants of a folderish document being removed.

      The problem is that we pass the current session's principal to run the action which will just skip the deletion of the document on which the current user does not have READ permission granted.

      Typical Scenario

      A given user has the REMOVE permission on document A but has permission blocked on descendant document B. If the user deletes doc A, the doc B will remain in DB as an orphan (i.e. ancestors does not exist anymore)

      We must run the DeletionAction as SYSTEM_USER

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.