Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-31719

InlineSQLHelperUtil does not take ResourcePermission.scope=3 into account when retrieving DLFolders in a community site and, so , does'nt not work when role Member have default VIEW permission on DLFolders.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: No Longer Reproducible
    • Affects Version/s: 6.0.6 GA
    • Fix Version/s: 6.2.0 CE M4
    • Component/s: DM
    • Environment:
      LPS 6.0.6 / PotgresQL|Oracel / Win32/Linux
      Permission Algo 6

      Description

      Case :
      1-As Portal Admin
      Define default permissions VIEW on "Community member" for DocumentLibray.
      2-As Community Owner
      Create a folder in a community Doc Lib, setting "share with community member" permissions.
      3-As community member
      OK => If you connect as a community member, you'll see the folder
      4-Now, as community Owner, edit permissions for the folder and just save it (even without modifying anything)
      5-As Commununity member
      KO => the folder is no more viewable !

      The reason of this is that the doclib portlet view use DLFolderServiceUtil.getFolders that itself call a persitence method (filterFindByG_P) that inject an INNER JOIN on ResourcePermission via InlineSQLHelperUtil :

      Sample :
      ---------------
      //Role "Member of Comm" is 10144
      SELECT DISTINCT dlFolder.parentFolderId, dlFolder.name
      FROM DLFolder dlFolder
      INNER JOIN ResourcePermission
      ON (
      (dlFolder.userId = 21909)
      OR (ResourcePermission.companyId = 10132)
      AND (ResourcePermission.name = 'com.liferay.portlet.documentlibrary.model.DLFolder')
      AND (ResourcePermission.roleId IN (0,10142,10144)) AND (MOD(ResourcePermission.actionIds, 2) = 1)
      AND (
      (
      (ResourcePermission.scope = 1)
      AND (ResourcePermission.primKey = '10132')
      )
      OR (
      (ResourcePermission.scope = 2)
      AND (ResourcePermission.primKey IN ('23001'))
      )
      OR (
      (ResourcePermission.scope = 4)
      AND (ResourcePermission.primKey = CAST(dlFolder.folderId AS text))
      )
      )
      )
      WHERE dlFolder.groupId = 23001
      AND dlFolder.parentFolderId = 24106
      ORDER BY dlFolder.parentFolderId ASC, dlFolder.name ASC

      --------------

      This SQL Statement does not take the case of permissions VIEW defined on "Community member" RĂ´le.
      In RessourcePermission table, we have this data for roleId "community member" :
      name="com.liferay.portlet.documentlibrary.model.DLFolder"; scope=3;primkey="0";roleid=10144;actionids=31 (or any bitwised value with mod=1; that is ID for action VIEW)

      So InlineSQLHelperUtil is not enough ...

      ----------------

      As a workaround, we can use DLFolderLocalServiceUtil.getFolders() instead of DLFolderServiceUtil.getFolders() in the view.jsp, it goes to a persistence method (filterFindByG_P) that does not use InlineSQLHelperUtil, and so the folders are visible... but for everyone...

      So, why not implement (or extend) a Service Method that use this last one, with a classic permissionChecker check, as it is done in the method DLFolderServiceUtil.getFolder() used to get ONE folder ?

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                4 years, 17 weeks, 1 day ago