Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-31719

InlineSQLHelperUtil does not take ResourcePermission.scope=3 into account when retrieving DLFolders in a community site and, so , does'nt not work when role Member have default VIEW permission on DLFolders.



      Case :
      1-As Portal Admin
      Define default permissions VIEW on "Community member" for DocumentLibray.
      2-As Community Owner
      Create a folder in a community Doc Lib, setting "share with community member" permissions.
      3-As community member
      OK => If you connect as a community member, you'll see the folder
      4-Now, as community Owner, edit permissions for the folder and just save it (even without modifying anything)
      5-As Commununity member
      KO => the folder is no more viewable !

      The reason of this is that the doclib portlet view use DLFolderServiceUtil.getFolders that itself call a persitence method (filterFindByG_P) that inject an INNER JOIN on ResourcePermission via InlineSQLHelperUtil :

      Sample :
      //Role "Member of Comm" is 10144
      SELECT DISTINCT dlFolder.parentFolderId, dlFolder.name
      FROM DLFolder dlFolder
      INNER JOIN ResourcePermission
      ON (
      (dlFolder.userId = 21909)
      OR (ResourcePermission.companyId = 10132)
      AND (ResourcePermission.name = 'com.liferay.portlet.documentlibrary.model.DLFolder')
      AND (ResourcePermission.roleId IN (0,10142,10144)) AND (MOD(ResourcePermission.actionIds, 2) = 1)
      AND (
      (ResourcePermission.scope = 1)
      AND (ResourcePermission.primKey = '10132')
      OR (
      (ResourcePermission.scope = 2)
      AND (ResourcePermission.primKey IN ('23001'))
      OR (
      (ResourcePermission.scope = 4)
      AND (ResourcePermission.primKey = CAST(dlFolder.folderId AS text))
      WHERE dlFolder.groupId = 23001
      AND dlFolder.parentFolderId = 24106
      ORDER BY dlFolder.parentFolderId ASC, dlFolder.name ASC


      This SQL Statement does not take the case of permissions VIEW defined on "Community member" RĂ´le.
      In RessourcePermission table, we have this data for roleId "community member" :
      name="com.liferay.portlet.documentlibrary.model.DLFolder"; scope=3;primkey="0";roleid=10144;actionids=31 (or any bitwised value with mod=1; that is ID for action VIEW)

      So InlineSQLHelperUtil is not enough ...


      As a workaround, we can use DLFolderLocalServiceUtil.getFolders() instead of DLFolderServiceUtil.getFolders() in the view.jsp, it goes to a persistence method (filterFindByG_P) that does not use InlineSQLHelperUtil, and so the folders are visible... but for everyone...

      So, why not implement (or extend) a Service Method that use this last one, with a classic permissionChecker check, as it is done in the method DLFolderServiceUtil.getFolder() used to get ONE folder ?




            michael.saechang Michael Saechang
            cariou Christophe Cariou
            Participants of an Issue:
            Recent user:
            Esther Sanz
            0 Vote for this issue
            0 Start watching this issue


              Days since last comment:
              8 years, 25 weeks, 6 days ago


                Version Package
                6.2.0 CE M4