diff --git a/config/alfresco/public-services-security-context.xml b/config/alfresco/public-services-security-context.xml
index dfa3052245..473037961f 100644
--- a/config/alfresco/public-services-security-context.xml
+++ b/config/alfresco/public-services-security-context.xml
@@ -247,6 +247,9 @@
${security.anyDenyDenies}
+
+ ${security.postProcessDenies}
+
diff --git a/config/alfresco/repository.properties b/config/alfresco/repository.properties
index c4327a8f13..c347119a32 100644
--- a/config/alfresco/repository.properties
+++ b/config/alfresco/repository.properties
@@ -837,6 +837,8 @@ orphanReaper.lockTimeOut=3600000
# security
security.anyDenyDenies=true
+# Whether to post-process denies. Only applies to solr4+ when anyDenyDenies is true.
+security.postProcessDenies=false
#
# Encryption properties
diff --git a/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java b/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java
index 97e0070286..aa24142994 100644
--- a/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java
+++ b/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java
@@ -81,6 +81,9 @@ public class SolrJSONResultSet implements ResultSet, JSONResult
private long lastIndexedTxId;
private SpellCheckResult spellCheckResult;
+
+ private boolean processedDenies;
+
/**
* Detached result set based on that provided
* @param resultSet
@@ -104,7 +107,10 @@ public class SolrJSONResultSet implements ResultSet, JSONResult
{
lastIndexedTxId = json.getLong("lastIndexedTx");
}
-
+ if (json.has("processedDenies"))
+ {
+ processedDenies = json.getBoolean("processedDenies");
+ }
JSONArray docs = response.getJSONArray("docs");
int numDocs = docs.length();
@@ -466,4 +472,9 @@ public class SolrJSONResultSet implements ResultSet, JSONResult
{
return this.spellCheckResult;
}
+
+ public boolean getProcessedDenies()
+ {
+ return processedDenies;
+ }
}
diff --git a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
index 90c2db7d52..bc925e420b 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
@@ -94,7 +94,7 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
private boolean optimisePermissionsCheck;
private int optimisePermissionsBulkFetchSize;
private boolean anyDenyDenies = false;
-
+ private boolean postProcessDenies = false;
/**
* Default constructor
*/
@@ -279,7 +279,8 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
{
return decide(authentication, object, config, (ChildAssociationRef) returnedObject);
}
- else if (SolrJSONResultSet.class.isAssignableFrom(returnedObject.getClass()) && !anyDenyDenies)
+ else if (SolrJSONResultSet.class.isAssignableFrom(returnedObject.getClass()) &&
+ (!anyDenyDenies || (!postProcessDenies && ((SolrJSONResultSet)returnedObject).getProcessedDenies())))
{
return returnedObject;
}
@@ -525,6 +526,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
this.anyDenyDenies = anyDenyDenies;
}
+ public void setPostProcessDenies(boolean postProcessDenies)
+ {
+ this.postProcessDenies = postProcessDenies;
+ }
+
private ResultSet decide(Authentication authentication, Object object, ConfigAttributeDefinition config, ResultSet returnedObject) throws AccessDeniedException
{
ResultSet rs = optimisePermissionsCheck ? decideNew(authentication, object, config, returnedObject) :