"Read" Permission error

From a workflow task there is called a chain. It creates a new document and starts a new workflow on them. For two years it has worked well but very rare. Yesterday I was found that it stopped work and returned an error.

****** WebUI.Refresh ******
Chain ID: wf_MY_startWorkflowFromOtherWorkflow
Chain Aliases: []
Class: RefreshUI
Method: 'run' | Input Type: void | Output Type: void
Input: DocumentModelImpl(yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy, path=/division/workspaces/department/specialfolder/Untitled.1507557422637, title=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy)
Parameters  | Name: additional list of seam events to raise, Value: workflowNewProcessStarted

****** end sub chain ******

****** end sub chain ******

    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:238)
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:97)
    at org.nuxeo.ecm.platform.routing.core.impl.GraphNodeImpl.executeChain(GraphNodeImpl.java:514)
    ... 112 more
Caused by: org.nuxeo.ecm.automation.TraceException: org.nuxeo.ecm.automation.TraceException: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation WebUI.Refresh with aliases [Seam.Refresh]
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:240)
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:121)
    at org.nuxeo.ecm.automation.core.operations.execution.RunOperation.run(RunOperation.java:61)
    at sun.reflect.GeneratedMethodAccessor1996.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:164)
    at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.invoke(CompiledChainImpl.java:116)
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:214)
    ... 114 more
Caused by: org.nuxeo.ecm.automation.TraceException: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation WebUI.Refresh with aliases [Seam.Refresh]
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:240)
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:121)
    at org.nuxeo.ecm.automation.core.operations.execution.RunOperation.run(RunOperation.java:61)
    at sun.reflect.GeneratedMethodAccessor1996.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:164)
    at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:177)
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:214)
    ... 132 more
Caused by: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation WebUI.Refresh with aliases [Seam.Refresh]
    at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:189)
    at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.doInvoke(CompiledChainImpl.java:130)
    at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:214)
    ... 160 more
Caused by: org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'userWithReadWrite'
    at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:219)
    at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:927)
    at org.nuxeo.ecm.webapp.context.NavigationContextBean.invalidateCurrentDocument(NavigationContextBean.java:229)
    at sun.reflect.GeneratedMethodAccessor2018.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
    at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)
    at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
    at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
    at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:196)
    at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:114)
    at org.nuxeo.ecm.webapp.context.NavigationContextBean_$$_javassist_seam_13.invalidateCurrentDocument(NavigationContextBean_$$_javassist_seam_13.java)
    at org.nuxeo.ecm.automation.jsf.operations.RefreshUI.run(RefreshUI.java:65)
    at sun.reflect.GeneratedMethodAccessor2294.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:164)
    at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:177)
    ... 179 more

The user 'userWithReadWrite' has the 'ReadWrite' permission assigned by the task. To eliminate the error it is necessary to add extra the 'Read' permission for the user.

There is used the following code:

    <chain id="wf_MY_toAccepted">
      <operation id="Context.FetchDocument"/>
      <operation id="Document.SetLifeCycle">
        <param type="string" name="value">accepted</param>
      </operation>
      <operation id="Audit.Log">
        <param type="string" name="event">PCW.gotoAccepted</param>
        <param type="string" name="category">ProcessChange</param>
        <param type="string" name="comment">expr:@{nodeLastActor}
comment: @{NodeVariables["comment"] != empty?NodeVariables["comment"].length()>900?NodeVariables["comment"].substring(0,900):NodeVariables["comment"]:""}</param>
      </operation>
      <operation id="Context.RunOperation">
        <param type="string" name="id">wf_MY_startNewWorkflow</param>
        <param type="boolean" name="isolate">true</param>
      </operation>
    </chain>

    <chain id="wf_MY_startNewWorkflow">
      <operation id="Context.RunOperation">
        <param type="string" name="id">wf_MY_initWorkflow</param>
        <param type="boolean" name="isolate">false</param>
      </operation>  
      <operation id="Context.RunOperation">
        <param type="string" name="id">wf_MY_startWorkflowFromProcessChange</param>
        <param type="boolean" name="isolate">false</param>
      </operation>  
    </chain>

    <chain id="wf_MY_initWorkflow">
      <operation id="Document.Fetch">
        <param type="document" name="value">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</param>
      </operation>
      <operation id="Document.Create">
        <param type="string" name="type">File</param>
      </operation>
      <operation id="Document.SetProperty">
        <param type="string" name="xpath">dc:title</param>
        <param type="boolean" name="save">true</param>
        <param type="serializable" name="value">Test read permission</param>
      </operation>
      <operation id="Document.SaveSession"/>
      <operation id="Context.SetVar">
        <param type="string" name="name">currentDoc</param>
        <param type="object" name="value">expr:Document.id</param>
      </operation>  
    </chain>

    <chain id="wf_MY_startWorkflowFromOtherWorkflow">
      <operation id="Document.Fetch">
        <param type="document" name="value">expr:@{currentDoc}</param>
      </operation>
      <operation id="Auth.LoginAs">
        <param type="string" name="name">userWithReadWrite</param>   
      </operation>
      <operation id="Context.StartWorkflow">
        <param type="string" name="id">MyNewWorkflow</param>
        <param type="boolean" name="start">true</param>
      </operation>
      <operation id="Seam.Refresh">
        <param type="stringlist" name="additional list of seam events to raise">workflowNewProcessStarted</param>
      </operation>
    </chain>

As I wroted it has worked many times but now it does not. I have not checked yet where the source of problem is.

0 votes

0 answers

298 views

ANSWER

Hello,

I cannot dig into your issue for now but if you have switched from Nuxeo version to another, don't hesitate to look here for release updates:

https://doc.nuxeo.com/nxdoc/upgrading-the-nuxeo-platform/#detailed-upgrade-by-version

10/18/2017

When the task is finished by the user than first the system removes the ReadWrite permission granted to the user by task and then is executed a chain in "rnode:transitions" of this task. (In debug mode he has no ReadWrite permission). As "Seam.Refresh" operation uses current user as Principal, it is no possibility to inform system that there was started new workflow by the user with temporary permission given by task.
10/23/2017