From 7fc1fc7bf2bcea47a2f775900ff2082c2f9610f4 Mon Sep 17 00:00:00 2001 From: Matt Ward Date: Tue, 30 Sep 2014 13:24:47 +0000 Subject: [PATCH] ACE-2869: SOLR4 - security.anyDenyDenies=true config - result count from fts query still wrong. Results are no longer post-processed for anyDenyDenies when Solr4 is in use - the processing is done on the Solr side instead. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@86007 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../alfresco/public-services-security-context.xml | 3 +++ config/alfresco/repository.properties | 2 ++ .../repo/search/impl/lucene/SolrJSONResultSet.java | 13 ++++++++++++- .../impl/acegi/ACLEntryAfterInvocationProvider.java | 10 ++++++++-- 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/config/alfresco/public-services-security-context.xml b/config/alfresco/public-services-security-context.xml index dfa3052245..473037961f 100644 --- a/config/alfresco/public-services-security-context.xml +++ b/config/alfresco/public-services-security-context.xml @@ -247,6 +247,9 @@ ${security.anyDenyDenies} + + ${security.postProcessDenies} + diff --git a/config/alfresco/repository.properties b/config/alfresco/repository.properties index c4327a8f13..c347119a32 100644 --- a/config/alfresco/repository.properties +++ b/config/alfresco/repository.properties @@ -837,6 +837,8 @@ orphanReaper.lockTimeOut=3600000 # security security.anyDenyDenies=true +# Whether to post-process denies. Only applies to solr4+ when anyDenyDenies is true. +security.postProcessDenies=false # # Encryption properties diff --git a/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java b/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java index 97e0070286..aa24142994 100644 --- a/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java +++ b/source/java/org/alfresco/repo/search/impl/lucene/SolrJSONResultSet.java @@ -81,6 +81,9 @@ public class SolrJSONResultSet implements ResultSet, JSONResult private long lastIndexedTxId; private SpellCheckResult spellCheckResult; + + private boolean processedDenies; + /** * Detached result set based on that provided * @param resultSet @@ -104,7 +107,10 @@ public class SolrJSONResultSet implements ResultSet, JSONResult { lastIndexedTxId = json.getLong("lastIndexedTx"); } - + if (json.has("processedDenies")) + { + processedDenies = json.getBoolean("processedDenies"); + } JSONArray docs = response.getJSONArray("docs"); int numDocs = docs.length(); @@ -466,4 +472,9 @@ public class SolrJSONResultSet implements ResultSet, JSONResult { return this.spellCheckResult; } + + public boolean getProcessedDenies() + { + return processedDenies; + } } diff --git a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java index 90c2db7d52..bc925e420b 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java @@ -94,7 +94,7 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider, private boolean optimisePermissionsCheck; private int optimisePermissionsBulkFetchSize; private boolean anyDenyDenies = false; - + private boolean postProcessDenies = false; /** * Default constructor */ @@ -279,7 +279,8 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider, { return decide(authentication, object, config, (ChildAssociationRef) returnedObject); } - else if (SolrJSONResultSet.class.isAssignableFrom(returnedObject.getClass()) && !anyDenyDenies) + else if (SolrJSONResultSet.class.isAssignableFrom(returnedObject.getClass()) && + (!anyDenyDenies || (!postProcessDenies && ((SolrJSONResultSet)returnedObject).getProcessedDenies()))) { return returnedObject; } @@ -525,6 +526,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider, this.anyDenyDenies = anyDenyDenies; } + public void setPostProcessDenies(boolean postProcessDenies) + { + this.postProcessDenies = postProcessDenies; + } + private ResultSet decide(Authentication authentication, Object object, ConfigAttributeDefinition config, ResultSet returnedObject) throws AccessDeniedException { ResultSet rs = optimisePermissionsCheck ? decideNew(authentication, object, config, returnedObject) :