Total result count doesn't respect RM role

Description

Steps to reproduce

1. Create a category, folder and record.
2. Create a new user Bob (not an RM user) and add them to the category with read only permission.
3. Search for the record using Bob.

Expected

4. The total count should be 0 (i.e. "0 results found")

Actual

4. The total count is 1 (i.e. "1 - results found").

Notes

This happens because the RM role filtering is done in AGS (see RMAfterInvocationProvider.decide). In this specific case (the filtered result is on the current page of results) it would be possible to workaround this issue and update the count in AGS, however this will not work if the filtered record was on another page of the results.

There are several ways this could be fixed by filtering in Solr instead (see a more detailed discussion here):

  • Prevent users from having read or write permissions on a category without also having the read records capability.

  • Use a new user group (and ACLs) for the read records capability.

  • Use a query filter (as is done for security marks).

This issue also affects the SQL endpoint (although it's currently not observable due to other issues - see SEARCH-1271, ).

Environment

None

Activity

Show:
Claudia Agache
February 14, 2020, 1:38 AM

, I found following regression:

  1. Create as admin a category, folder and record.

  2. Create a new user Bob and add him to ALFRESCO_ADMINISTRATORS group.

  3. Login in share as Bob and navigate to the record. He is able to see the record even if he doesn't have a rm role.

  4. Search for the record.

Expected: The total count is 1 (i.e. "1 - results found") and the record is displayed in search results.

Actual: The total count is 0 (i.e. "0 - results found") and the record isn't displayed in search results.

Sara Aspery
February 14, 2020, 2:06 AM

As Bob is not a member of the RM site, how does he navigate to the record? Is it via the node browser or something else?

All Replies
February 14, 2020, 12:08 PM

[This comment has been reassigned to allreplies@alfresco.com as part of the Alfresco cloud migration project. The author of this comment was buildandpackaging] Sara Aspery mentioned this issue in a merge request of records-management/records-management:
'RM-6654 filter by file plan component'

Sara Aspery
February 18, 2020, 12:53 AM

Changed to now allow for users in the ALFRESCO_ADMINISTRATORS group to see records in the search results even if they do not have an RM role with View Records capability.

Claudia Agache
February 20, 2020, 11:13 PM

Issue doesn't reproduce on rev #5937d47d

Done

Assignee

Unassigned

Reporter

Tom Page

Labels

Regression

None

Bug Priority

Category 2

Delivery Team

None

Release Train

None

Story Points

3

Time remaining

0m

Fix versions

Affects versions