Bug - possible fix!: error removing access rights

Hi There,

I've added access rights programmatically using this piece of code:

    PathRef path = new PathRef(tenantId+"/workspaces/");
    DocumentModel workspaces = session.getDocument(path);

    ACP acp = workspaces.getACP();
    ACL acl = acp.getOrCreateACL();
    int tenantAdministratorsGroupACEIndex = acl.indexOf(new ACE(userId, SecurityConstants.EVERYTHING, true));
    if (tenantAdministratorsGroupACEIndex == -1) {
        ACE ace = new ACE(userId, SecurityConstants.EVERYTHING, true);
        acl.add(ace);
        acp.addACL(acl);
        workspaces.setACP(acp, true);
    }

However now I'm getting the following error when I try to remove the rights of someone using the nuxeo interface:

message.error.removeRight


Update: The added acl rights also do not show in the field, it seems that when clicking the save button only the local rights are stored which are on the screen at that moment. So the programatically added rights also dissapear.

This is quite a issue as this happens also using the multi-tenant plug-in while changing the access rights on the domain, as these access rights also do not appear on the screen. Is there a way to fix this or is there a workaround?

reproduce info: (multi tenancy installed)

  1. create a new tenant (“test”)
  2. check access rights using the REST API: /nuxeo/site/api/v1/path/test/@acl
  3. add user access to tenant by using the user interface (manage – Access Rights)
  4. delete the use access to the tenant using the user interface (manage – Access Rights)
  5. check access rights again using the REST API: /nuxeo/site/api/v1/path/test/@acl (the tenant-test_members and tenant-test_Administrator groups have lost their access rights)

Extra info: I'm using nuxeo 5.8 with hotfixes and multi tenancy module installed.


Update 2:

I think it might be a problem in the following class on line 361:

http://fisheye.nuxeo.com/browse/~br=feature-NXP-11560-login-msg-timeout/nuxeo-dm/nuxeo-platform-webapp-core/src/main/java/org/nuxeo/ecm/webapp/security/SecurityActionsBean.java?r=18eaaa407007af0dfd5105ba84c07edaa8b4af50

The method “reconstructTableModel” is called, but I think “rebuildSecurityData” should be called. Is there a way I can test this myself, or is this “not done”?


update 3: I found out that it was not actually in the addPermission method as described above, but it is actually in the “updateSecurityOnDocument” method. What happens here is that the old ACP is overwritten by the new SecurityData taken from the current local rights in the user interface of Nuxeo, however the old acp rights (set programatically) are not taken into account.

 List<UserEntry> modifiableEntries = SecurityDataConverter.convertToUserEntries(securityData);
           ACP acp = currentDocument.getACP();

           if (null == acp) {
               acp = new ACPImpl();
           }

           acp.setRules(modifiableEntries.toArray(new UserEntry[0]));


       currentDocument.setACP(acp, true);
       documentManager.save();

I see two possible solutions: Maybe the programmatically set access rights have to be set differently

Or change the code like the following(not sure if it has other impacts)

        List<UserEntry> modifiableEntries = SecurityDataConverter.convertToUserEntries(securityData);
        //get the current ACP and ACL
        ACP oldacp = currentDocument.getACP();
        ACL oldACL = oldacp.getOrCreateACL();

        // create an empty variabele for the new rules
        ACPImpl acp = null;
        if (null == acp) {
            acp = new ACPImpl();
        }

        // set the new rules in the temp variable
        acp.setRules(modifiableEntries.toArray(new UserEntry[0]));

        //get the acl of the new rules
        ACL acl = acp.getOrCreateACL();

        //get the aces for the new rules
        ACE[] newAces = acl.getACEs();

        //for each of the new aces check if it exixts in the old aces if not add.
        for(ACE ace:newAces){
            int tenantAdministratorsGroupACEIndex = oldACL.indexOf(ace);
            if (tenantAdministratorsGroupACEIndex == -1) {
                oldACL.add(ace);
                oldacp.addACL(acl);
            }
        }

        currentDocument.setACP(oldacp, true);

This actually adds the new ace rules to the old ace rules.

It may not be the best option, but it may help to make a better option :-)

0 votes

0 answers

922 views

ANSWER