Understood now, that will require a code change to the alfresco-indexer connector. I can have a look at the code once i find a bit of time.
On 3 December 2017 at 20:19, Phillip Rhodes (JIRA) <[email protected]> wrote: > > [ https://issues.apache.org/jira/browse/CONNECTORS-1473? > page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel& > focusedCommentId=16276072#comment-16276072 ] > > Phillip Rhodes edited comment on CONNECTORS-1473 at 12/3/17 8:18 PM: > --------------------------------------------------------------------- > > I'm talking about the allow_token_document field. In Alfresco I have > granted permissions to a folder for individual discrete users (as opposed > to a group), and at ingestion time I see (correctly, as I understand it) > tokens for those individual users. > > "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2", > "Alfresco:testuser3", "Alfresco:testuser4"], > > But at query time, when sending, say, testuser1, to the authority service, > you don't get back an access token for the *user*, only the groups that > user is in. > > That is, I get this: > > AUTHORIZED:Alfresco+Authority+Connection > TOKEN:Alfresco:GROUP_EVERYONE > > where I think the result should be: > > AUTHORIZED:Alfresco+Authority+Connection > TOKEN:Alfresco:GROUP_EVERYONE > TOKEN:Alfresco:testuser1 > > And so you don't get any search results even though the user actually has > permission to that content. > > > > was (Author: sprhodes): > I'm talking about the allow_token_document field. In Alfresco I have > granted permissions to a folder for individual discrete users (as opposed > to a group), and at ingestion time I see (correctly, as I understand it) > tokens for those individual users. > > "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2", > "Alfresco:testuser3", "Alfresco:testuser4"], > > But at query time, when sending, say, testuser1, to the authority service, > you don't get back an access token for the *user*, only the groups that > user is in. And so you don't get any search results even though the user > actually has permission to that content. > > > > Authority Service doesn't return same set of tokens for user at query > time as the set used for ingestion, when using Alfresco > > ------------------------------------------------------------ > ----------------------------------------------------------------- > > > > Key: CONNECTORS-1473 > > URL: https://issues.apache.org/ > jira/browse/CONNECTORS-1473 > > Project: ManifoldCF > > Issue Type: Bug > > Components: Alfresco webscript connector > > Environment: Alfresco: > > Installed Schema 6022 > > Installed Version 4.2.0 (4576) > > Server Schema 6022 > > Server Version 4.2.0 (4576) > > ManifoldCF - built from source using the latest sources about a month ago > > Solr - 6.6.0 > > Reporter: Phillip Rhodes > > Assignee: Karl Wright > > Fix For: ManifoldCF 2.9 > > > > Attachments: CONNECTORS-1473.patch > > > > > > Using ManifoldCF to index content from Alfresco into Solr, and using the > MCF SearchComponent to restrict access on the Solr side, I'm seeing the > following unusual behavior: > > 1. I have an Alfresco server storing documents. There are 65 docs in > > the built in "sample" space, which defaults to allowing access to > > everyone. > > 2. With the MCF SearchComponent installed into Solr, if I pass the > > AuthenticatedUserName parameter with any value, I get back all 65 > > documents as expected. > > 3. I added another space in Alfresco that only allows access for 4 > > specific users... testuser1, testuser2, testuser3, and testuser4. If I > > log into Alfresco as any of those users I can view and/or upload > > content to the space. > > 4. I put 7 documents in that space, and re-indexed with MCF. > > 5. Solr now shows a total of 72 documents for the core in question. > > 6. But, if I pass AuthenticatedUserName=testuser1 with my query, I > > still only see the 65 docs from the other space. > > 7. If I temporarily turn off the MCF SearchComponent in Solr, I can > > see the docs from the "locked down" space. > > I set the various token fields to stored="true" so I can see what is > > getting stored, and here's what I see for one sample document (one > > that isn't being returned with the SearchComponent enabled, but which > > should be). > > "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2", > > "Alfresco:testuser3", "Alfresco:testuser4"], > > "deny_token_document":["__nosecurity__"], > > "deny_token_parent":["__nosecurity__"], > > "allow_token_share":["__nosecurity__"], > > "allow_token_parent":["__nosecurity__"], > > "deny_token_share":["__nosecurity__"], > > Note that at ingestion time, tokens were created of the form > Alfresco:username for the specific individual users which were granted > access to the "secure" folder. > > However, if I make a direct request to the MCF UserACL's endpoint for, > say, testuser1, like this: > > http://manifoldcf.fogbeam.link:8345/mcf-authority- > service/UserACLs?username=testuser1 > > I get back: > > AUTHORIZED:Alfresco+Authority+Connection > > TOKEN:Alfresco:GROUP_EVERYONE > > which explains why I can see the documents from the public folder, > because they all have an allow_token_document for Alfresco:GROUP_EVERYONE. > But note that what I don't get back here is the token for the specific user > testuser1, which would match what was stored during ingestion. > > > > -- > This message was sent by Atlassian JIRA > (v6.4.14#64029) > -- Luis Cabaceira
