[
https://jira.nuxeo.com/browse/NXP-8011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=106916#comment-106916
]
Anahide Tchertchian edited comment on NXP-8011 at 11/30/11 10:12 PM:
---------------------------------------------------------------------
this method is used to select documents with permissions set on it: the
'allGroups' field should hold the user id, and all the groups (virtual or not)
that will be used to perform a security check so that:
imagine there is a group "nuxeo" with sub group "developers", itself with sub
group "starship" and let's say current user is explicitely a member of the
"developers" group.
- document A has read permission for the "nuxeo" group => current user should
be able to see it
- document B has read permission for the "developers" group => current user
should be able to see it
- document C has read permission for the "starship" group => current user
should *not* be able to see it
when including the parent groups (which current user is implicitely is member
of), documents will be retrieved from the repository with selections on ACLS
for the groups "nuxeo" and "developers" => only document A and B will be
retrieved (OK)
when including the member groups, selections will be done with "developers" and
"starship" => document A will not be retrieved *(KO)*, B will be (OK), C will
be *(KO)*
so i rollbacked your commit, can you describe what's your issue with it?
was (Author: atchertchian):
This method is used to select documents with permissions set on it: the
'allGroups' field should hold the user id, and all the groups (virtual or not)
that will be used to perform a security check so that:
imagine there is a group "nuxeo" with sub group "developers" with sub groups
"starship", let's say current user is explicitely a member of the "developers"
group.
- document A has read permission for the "nuxeo" group => current user should
be able to see it
- document B has read permission for the "developers" group => current user
should be able to see it
- document C has read permission for the "starship" group => current user
should be *not* able to see it
when retrieving the parent groups, the documents selection when querying the
repository will be done on "nuxeo" and "developers" for the user => only
document A and B will be retrieved (OK)
when retrieving the member groups, the documents selection when querying the
repository will be done on "developers" and "starship" for the user => document
A will not be retrieved (KO), B will be (OK), C will be retrieved (KO)
so i rollbacked your commit, can you describe what's your issue with it?
> Computing all groups in NuxeoPrincipal is adding all the parent groups
> instead of the sub groups
> ------------------------------------------------------------------------------------------------
>
> Key: NXP-8011
> URL: https://jira.nuxeo.com/browse/NXP-8011
> Project: Nuxeo Enterprise Platform
> Issue Type: Bug
> Components: Security / Rights
> Affects Versions: 5.4.2
> Reporter: Sun Tan
> Assignee: Sun Tan
> Fix For: 5.5
>
>
> nuxeo-services/nuxeo-platform-usermanager-api/src/main/java/org/nuxeo/ecm/platform/usermanager/NuxeoPrincipalImpl.java
> line 344
> {code}
> groupsToProcess.addAll(nxGroup.getParentGroups());
> {code}
> instead of
> {code}
> groupsToProcess.addAll(nxGroup.getMemberGroups());
> {code}
> With the current behavior,the field allGroups contains all the parent groups
> (but shouldn't).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
