Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30678

Retention: context parameter permissions are empty for an admin user

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: ADDONS_10.10, ADDONS_2021
    • Fix Version/s: 10.10-HF54, 2021.12
    • Component/s: Retention

      Description

      A regression was introduced by NXP-30342 with this commit

      The remove on the permissions list (when the doc is under retention or legal hold and the current user is admin) produced a silent exception:

      java.lang.UnsupportedOperationException: remove
      	at java.util.Iterator.remove(Iterator.java:102) ~[?:?]
      	at java.util.AbstractCollection.remove(AbstractCollection.java:299) ~[?:?]
      	at org.nuxeo.ecm.core.security.SecurityService.filterGrantedPermissions(SecurityService.java:162) ~[main/:?]
      	at org.nuxeo.ecm.core.api.AbstractSession.filterGrantedPermissions(AbstractSession.java:329) ~[main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.BasePermissionsJsonEnricher.getPermissionsInSession(BasePermissionsJsonEnricher.java:87) ~[main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.BasePermissionsJsonEnricher.write(BasePermissionsJsonEnricher.java:76) ~[main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.BasePermissionsJsonEnricher.write(BasePermissionsJsonEnricher.java:1) ~[main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.AbstractJsonEnricher.write(AbstractJsonEnricher.java:70) [main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.enrichers.AbstractJsonEnricher.write(AbstractJsonEnricher.java:1) [main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:81) [main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.ExtensibleEntityJsonWriter.write(ExtensibleEntityJsonWriter.java:106) [main/:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:81) [main/:?]
      	at org.nuxeo.ecm.webengine.jaxrs.coreiodelegate.PartialCoreIODelegate.writeTo(PartialCoreIODelegate.java:113) [classes/:?]
      	at com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse.java:302) [jersey-server-1.19.4.jar:1.19.4]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1510) [jersey-server-1.19.4.jar:1.19.4]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) [jersey-server-1.19.4.jar:1.19.4]
      	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) [jersey-server-1.19.4.jar:1.19.4]
      	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) [jersey-servlet-1.19.4.jar:1.19.4]
      	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558) [jersey-servlet-1.19.4.jar:1.19.4]
      	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733) [jersey-servlet-1.19.4.jar:1.19.4]
      	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.containerService(WebEngineServlet.java:62) [classes/:?]
      	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.service(WebEngineServlet.java:46) [classes/:?]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) [javax.servlet-api-4.0.1.jar:4.0.1]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.platform.web.common.RequestContextFilter.doFilter(RequestContextFilter.java:44) [main/:?]
      	at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.webengine.jaxrs.session.SessionCleanupFilter.run(SessionCleanupFilter.java:50) [classes/:?]
      	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:49) [classes/:?]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.webengine.app.WebContextFilter.doFilter(WebContextFilter.java:57) [classes/:?]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:139) [main/:?]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.webengine.app.HeaderFixFilter.run(HeaderFixFilter.java:62) [classes/:?]
      	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:49) [classes/:?]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:543) [main/:?]
      	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:346) [main/:?]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter(NuxeoExceptionFilter.java:40) [main/:?]
      	at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) [javax.servlet-api-4.0.1.jar:4.0.1]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.nuxeo.ecm.core.management.jtajca.internal.Log4jWebFilter.doFilter(Log4jWebFilter.java:69) [main/:?]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [tomcat-catalina-9.0.54.jar:9.0.54]
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) [tomcat-coyote-9.0.54.jar:9.0.54]
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote-9.0.54.jar:9.0.54]
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895) [tomcat-coyote-9.0.54.jar:9.0.54]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1722) [tomcat-coyote-9.0.54.jar:9.0.54]
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.54.jar:9.0.54]
      	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util-9.0.54.jar:9.0.54]
      	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util-9.0.54.jar:9.0.54]
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.54.jar:9.0.54]
      	at java.lang.Thread.run(Thread.java:829) [?:?]
      

      The exception itself is caused by the upper caller BasePermissionsJsonEnricher which passes an array of permissions to the SecurityService as a list using the java.util.Arrays.asList helper (which returns a fixed-size list backed by the specified array). As a direct result, the add or remove method is not available on such list implementation and produces this UnsupportedOperationException.

      This exception could not be seen/detected because the implemented abstract class by the JSON enricher catches any exceptions to log them at INFO level (logging level not enabled by default). Global Exception catching without proper handling has never been a good idea/pattern but, in this particular case, we can't really rethrow any kind of errors without introducing a breaking change.

      The minimum would be to log a WARN if not an ERROR.

      Steps to reproduce:

      • Admin user creates a document
      • Admin user applies a Retention Rule to the document
      • Admin user doesn't see button to Extend Retention Period

      Expected Outcome:

      • Admin user clicks the Extend Retention Period and picks a later date on Date Picker
      • The document's Retention Period is extended

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.