upgrade from 8.2 to 9.3 -- BaseSession.hasPermission change

We are upgrading from 8.2 to 9.3. We have some existing unit tests to test extensions we've built that are designed to test concurrency scenarios. There is a difference in how the BaseSession.hasPermission method executes from 8.2 to 9.3. In both versions, BaseSession.hasPermission calls ClientLoginModule.getCurrentPrincipal. In 8.2, when running as a separate thread, the getCurrentPrincipal method returns null and hasPermission retrurns true. In 9.3 from a separate thread, getCurrentPrincipal method also returns null but then hasPermission returns false. The null return triggers the different behavior in the BaseSession.hasPermission method between 8.2 and 9.3. I can overcome this by preceding the getUserModel call inside the thread with the following statement: Framework.Login();. This eliminates the null return. But I'm wondering if there's a better approach. Thanks

@Test
public void foo() throws Exception {
    UserManager userManager = Framework.getLocalService(UserManager.class);
    userManager.getUserModel("ex-1");
    Executors.newFixedThreadPool(1).execute(new FutureTask<>(() -> {
        UserManager userManager = Framework.getLocalService(UserManager.class);
        userManager.getUserModel("ex-2");
    }));
}      
0 votes

1 answers

184 views

ANSWER

note - original post had an error which I've corrected…
01/04/2018

Nuxeo folks - I'm seeing this elsewhere. When invoking directory functionality from within event handlers (i.e. to add/modify Directory entries) the BaseSession checkPermission method gets a null principal from the ClientLoginModule but whereas before, NULL was interpreted as "you can do anything" now it is interpreted as "you can do nothing." So the code fails the permission check and aborts. So I'm adding Framework.login() in places where I have these event handlers but that can't be right. Help is appreciated.
01/05/2018



Yes this change was done on purpose (NXP-22463) to improve the security of directories.

In unit tests, you will have to use a login mechanism to provide an explicit user to the authentication stack. I can be as simple as calling your code inside Framework.doPrivileged

0 votes



Ok Thanks!
01/12/2018