Permissions for groups - bug report and patch

I submit a bug report+patch here because I could not find out how to get a JIRA account.

We encountered an exception while trying to remove a permission associated to a group. The issue is related to the group ID format that includes “:” characters that conflicts with Nuxeo's ACE format that also uses “:” as a separator.

The exception we get while trying to remove permissions for group “ur1:dsi:snum:groupes:groupe2” : chain
Name: Document.RemovePermission
Exception: OperationException
Caught error: Failed to invoke operation Document.RemovePermission
Caused by: java.lang.NumberFormatException: For input string: “groupe2”
Hierarchy calls

at org.nuxeo.ecm.automation.server.jaxrs.OperationResource.execute(
at org.nuxeo.ecm.automation.server.jaxrs.ExecutableResource.doPost(
… 88 more
Caused by: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation Document.RemovePermission
at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(
at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.doInvoke(
at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.invoke(
… 91 more
Caused by: java.lang.NumberFormatException: For input string: “groupe2”
at java.lang.NumberFormatException.forInputString(
at java.lang.Long.parseLong(
at java.lang.Long.valueOf(
at org.nuxeo.ecm.automation.core.operations.document.RemovePermission.removePermission(
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
at java.lang.reflect.Method.invoke(
at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(
at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(
… 94 more

Attached is a patch that preserves the groupId within an ACE; the aceId is analyzed using a regular expression instead of split().

0 votes

1 answers



Hello. Best way to submit a patch is to create a Pull Request on Github ( If it is approved, it will then be backported to maintenance branches. However, the colon (':') is clearly a reserved character for group and user ids.

The colon is the default separator used in the nuxeo-platform-shibboleth-groups-web addon (tree view of groups). This is certainly not a reserved character.


Thank you for your quick answer. I will do a submit a pull request for this.

Regarding the relevance of this proposal, I forgot to mention that our Nuxeo platform is configured to use external users and groups defined in our LDAP directory. This type of group IDs were correctly supported with Nuxeo 5.8 and we can't afford to change our groups naming schema because it would have consequences for all LDAP consuming apps.

Note also that the proposed code change does not break the ACE format logic; it just makes the ACE parser more precise and therefore more robust to unexpected username/group ID formats.


0 votes

Thanks for the pull request. Please see my comments on it.

NXP-21421 has been opened to track this.

The next hotfix version will include the correction.