Steps to reproduce
1. Create a category, folder and record.
2. Create a new user Bob (not an RM user) and add them to the category with read only permission.
3. Search for the record using Bob.
Expected
4. The total count should be 0 (i.e. "0 results found")
Actual
4. The total count is 1 (i.e. "1 - results found").
Notes
This happens because the RM role filtering is done in AGS (see RMAfterInvocationProvider.decide). In this specific case (the filtered result is on the current page of results) it would be possible to workaround this issue and update the count in AGS, however this will not work if the filtered record was on another page of the results.
There are several ways this could be fixed by filtering in Solr instead (see a more detailed discussion here):
Prevent users from having read or write permissions on a category without also having the read records capability.
Use a new user group (and ACLs) for the read records capability.
Use a query filter (as is done for security marks).
This issue also affects the SQL endpoint (although it's currently not observable due to other issues - see SEARCH-1271, ).
, I found following regression:
Create as admin a category, folder and record.
Create a new user Bob and add him to ALFRESCO_ADMINISTRATORS group.
Login in share as Bob and navigate to the record. He is able to see the record even if he doesn't have a rm role.
Search for the record.
Expected: The total count is 1 (i.e. "1 - results found") and the record is displayed in search results.
Actual: The total count is 0 (i.e. "0 - results found") and the record isn't displayed in search results.
As Bob is not a member of the RM site, how does he navigate to the record? Is it via the node browser or something else?
[This comment has been reassigned to allreplies@alfresco.com as part of the Alfresco cloud migration project. The author of this comment was buildandpackaging] Sara Aspery mentioned this issue in a merge request of records-management/records-management:
'RM-6654 filter by file plan component'
Changed to now allow for users in the ALFRESCO_ADMINISTRATORS group to see records in the search results even if they do not have an RM role with View Records capability.
Issue doesn't reproduce on rev #5937d47d