Total result count doesn't respect RM role


Steps to reproduce

1. Create a category, folder and record.
2. Create a new user Bob (not an RM user) and add them to the category with read only permission.
3. Search for the record using Bob.


4. The total count should be 0 (i.e. "0 results found")


4. The total count is 1 (i.e. "1 - results found").


This happens because the RM role filtering is done in AGS (see RMAfterInvocationProvider.decide). In this specific case (the filtered result is on the current page of results) it would be possible to workaround this issue and update the count in AGS, however this will not work if the filtered record was on another page of the results.

There are several ways this could be fixed by filtering in Solr instead (see a more detailed discussion here):

  • Prevent users from having read or write permissions on a category without also having the read records capability.

  • Use a new user group (and ACLs) for the read records capability.

  • Use a query filter (as is done for security marks).

This issue also affects the SQL endpoint (although it's currently not observable due to other issues - see SEARCH-1271, ).




Claudia Agache
February 14, 2020, 1:38 AM

, I found following regression:

  1. Create as admin a category, folder and record.

  2. Create a new user Bob and add him to ALFRESCO_ADMINISTRATORS group.

  3. Login in share as Bob and navigate to the record. He is able to see the record even if he doesn't have a rm role.

  4. Search for the record.

Expected: The total count is 1 (i.e. "1 - results found") and the record is displayed in search results.

Actual: The total count is 0 (i.e. "0 - results found") and the record isn't displayed in search results.

Sara Aspery
February 14, 2020, 2:06 AM

As Bob is not a member of the RM site, how does he navigate to the record? Is it via the node browser or something else?

All Replies
February 14, 2020, 12:08 PM

[This comment has been reassigned to as part of the Alfresco cloud migration project. The author of this comment was buildandpackaging] Sara Aspery mentioned this issue in a merge request of records-management/records-management:
'RM-6654 filter by file plan component'

Sara Aspery
February 18, 2020, 12:53 AM

Changed to now allow for users in the ALFRESCO_ADMINISTRATORS group to see records in the search results even if they do not have an RM role with View Records capability.

Claudia Agache
February 20, 2020, 11:13 PM

Issue doesn't reproduce on rev #5937d47d





Tom Page




Bug Priority

Category 2

Delivery Team


Release Train


Story Points


Time remaining


Fix versions

Affects versions