Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-4241

Searching Journal / Web Content doesnt account for permissions

    Details

    • Branch Version/s:
      5.2.x
    • Backported to Branch:
      Committed

      Description

      when doing a search on the journal content, the search will not add the roleId to the query. from my email to dev-support on July 16th:

      ------------------------------------------------------------------
      Im doing some dev for the search and noticed that for the search results, we add permission logic in the query so that we only get search results which we have permission to see. This is good, but seems to only be done for Blogs, Bookmarks, Calendar.. etc. but NOT Message Boards, Web Content and Image Gallery. Is there a reason for this?

      Blogs
      in BLogsEntryLocalServiceImpl.search(
      long companyId, long groupId, long userId, long ownerUserId,
      String keywords, int start, int end)
      throws SystemException {

      return SearchEngineUtil.search(
      companyId, groupId, userId, BlogsEntry.class.getName(),
      fullQuery, start, end);

      it passes the userId to the SearchEngineUtil.. but not in the others.. see below:

      Web Content:
      in JournalArticleLocalServiceImpl.search(
      long companyId, long groupId, String keywords, Sort[] sorts,
      int start, int end)
      throws SystemException {

      return SearchEngineUtil.search(
      companyId, fullQuery, sorts, start, end);

      AND

      Message Boards:

      in MBCategoryLocalServiceImpl.search(
      long companyId, long groupId, long[] categoryIds, long threadId,
      String keywords, int start, int end)

      ...
      return SearchEngineUtil.search(companyId, fullQuery, start, end);

      AND

      in IGFolderLocalServiceImpl.search(
      long companyId, long groupId, long[] folderIds, String keywords,
      int start, int end)
      throws SystemException {
      ...
      return SearchEngineUtil.search(companyId, fullQuery, start, end);

      (notice that the userId is never passed to SearchEngineUtil.. and therefore the SearchPermissionCheckerImpl is never called.

      changing this so that the search results return viewable results would mean that we would have to pass in the userId and therefore change the method signatures. is this a bug or intentional? and if intentional.. anyone know why?
      ------------------------------------------------------------------

      from bruno:
      Articles are inherently public. Once they are approved, there is no permission check to view them.

      in response to bruno's comment. that makes sense, however, it is also true that the view permission can also be taken away from the guest role. which would mean that roleIds should be taken into account.

      Scott

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              wesley.gong Wesley Gong
              Reporter:
              scott.lee Scott Lee
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                10 years, 46 weeks, 1 day ago

                  Packages

                  Version Package
                  6.0.0 Preview