-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 5.2.3
-
Fix Version/s: 6.0.0 Preview
-
Component/s: Web Content > Web Content Administration
-
Labels:None
-
Environment:trunk, 5.2.x
-
Branch Version/s:5.2.x
-
Backported to Branch:Committed
when doing a search on the journal content, the search will not add the roleId to the query. from my email to dev-support on July 16th:
------------------------------------------------------------------
Im doing some dev for the search and noticed that for the search results, we add permission logic in the query so that we only get search results which we have permission to see. This is good, but seems to only be done for Blogs, Bookmarks, Calendar.. etc. but NOT Message Boards, Web Content and Image Gallery. Is there a reason for this?
Blogs
in BLogsEntryLocalServiceImpl.search(
long companyId, long groupId, long userId, long ownerUserId,
String keywords, int start, int end)
throws SystemException {
return SearchEngineUtil.search(
companyId, groupId, userId, BlogsEntry.class.getName(),
fullQuery, start, end);
it passes the userId to the SearchEngineUtil.. but not in the others.. see below:
Web Content:
in JournalArticleLocalServiceImpl.search(
long companyId, long groupId, String keywords, Sort[] sorts,
int start, int end)
throws SystemException {
return SearchEngineUtil.search(
companyId, fullQuery, sorts, start, end);
AND
Message Boards:
in MBCategoryLocalServiceImpl.search(
long companyId, long groupId, long[] categoryIds, long threadId,
String keywords, int start, int end)
...
return SearchEngineUtil.search(companyId, fullQuery, start, end);
AND
in IGFolderLocalServiceImpl.search(
long companyId, long groupId, long[] folderIds, String keywords,
int start, int end)
throws SystemException {
...
return SearchEngineUtil.search(companyId, fullQuery, start, end);
(notice that the userId is never passed to SearchEngineUtil.. and therefore the SearchPermissionCheckerImpl is never called.
changing this so that the search results return viewable results would mean that we would have to pass in the userId and therefore change the method signatures. is this a bug or intentional? and if intentional.. anyone know why?
------------------------------------------------------------------
from bruno:
Articles are inherently public. Once they are approved, there is no permission check to view them.
in response to bruno's comment. that makes sense, however, it is also true that the view permission can also be taken away from the guest role. which would mean that roleIds should be taken into account.
Scott
