Details
-
Bug
-
Status: Closed
-
Resolution: Duplicate
-
6.0.6 GA
-
Ubuntu, MySQL, Chrome 11
permissions.user.check.algorithm=5
Description
Hello,
We're having big problems with the Search portlet, and I'm trying to summarize them clearly here.
The net result of these problems is:
1. When searching "Everything", groupRoleId is always missing -> ONLY content with Guest visibility is found
2. Searching "This Community" works, but searching "This Organization" also returns only Guest viewable content
The problem is that when using the Search portlet, the generated search Query does not include groupRoleId terms which are necessary to find content which is not viewable to Guest. The below code is copied from SearchPermissionCheckerImpl.doGetPermissionQuery_5(..), but from what I can tell the same applies to ..._6.
// ... PermissionCheckerBag bag = getUserBag(userId); List<Group> groups = new ArrayList<Group>(); List<Role> roles = bag.getRoles(); List<UserGroupRole> userGroupRoles = new ArrayList<UserGroupRole>(); if ((groupIds == null) || (groupIds.length == 0)) { /* * When searching "Everything", groupId == 0L which makes groupIds an Array of length 1 so we don't * enter here. The statement should be * if (groupIds == null || groupIds.length == 0 || groupIds[0] == 0L) { */ groups.addAll( GroupLocalServiceUtil.getUserGroups(userId, true)); groups.addAll(bag.getGroups()); userGroupRoles = UserGroupRoleLocalServiceUtil.getUserGroupRoles(userId); } else { for (long groupId : groupIds) { /* * This method (GroupLocalServiceUtil.hasUserGroup) seems to return false even when groupId is that of an * organization in which the user IS a member (it works correctly for Communities). (This is what happens when searching "Current Organization" * with the Search portlet.) Thus groups ends up empty!! */ if (GroupLocalServiceUtil.hasUserGroup(userId, groupId)) { Group group = GroupLocalServiceUtil.getGroup(groupId); groups.add(group); } /* * These methods don't seem to account for implied roles (Org/Comm member etc), * but only for "physically persisted" ones. Probably by design though? */ userGroupRoles.addAll( UserGroupRoleLocalServiceUtil.getUserGroupRoles( userId, groupId)); userGroupRoles.addAll( UserGroupRoleLocalServiceUtil. getUserGroupRolesByUserUserGroupAndGroup(userId, groupId)); } } // ... /* * Farther down in this method we encounter the following, EXTREMELY IMPORTANT, piece of code. * The catch is that if groups is empty, which it often is (wrongly in my opinion), no groupRoleId:s * are included in the search query. for (Group group : groups) { addRequiredMemberRole(group, permissionQuery); }
In summary:
1. The if statement is wrong and does not properly handle the case when an Array of long of length 1 whose element is 0L which means that we often go into the else block even when we don't intend to. (Since e.g. the search portlet explicitly passes groupId:0)
2. Since the groups from PermissionCheckerBag.getGroups() are not included when searching "Everything", we miss them
3. GroupLocalServiceUtil.hasUserGroup(...) doesn't work correctly for Organizations
4. If all necessary groupIds are not in groups by the time we do addRequiredMemberRole(...), the user will not get all the hits which he has the rights to see.
