deiferni
commented
5 years ago as just discussed with @buchi we should have a look at this next week with @lukasgraf to discuss possible strageties
Closed deiferni closed 5 years ago
deiferni
commented
5 years ago as just discussed with @buchi we should have a look at this next week with @lukasgraf to discuss possible strageties
There is an issue with the
reindexObjectSecuritypatch in combination with a shortcut in theallowedRolesAndUsersindexer. In:https://github.com/plone/Products.CMFPlone/blob/f80809340cb8263ed5a217d8f311e26b2c98d1ef/Products/CMFPlone/CatalogTool.py#L148-L151
there is a shortcut for
AuthenticatedandAnonymouswhich will limit theallowedRolesAndUsersindexed values to one role should it appear in the index. This is an issue since our patch relies on the indexed values and compares them to detect if recursion can be terminated:https://github.com/4teamwork/ftw.solr/blob/2336c4c114574773f25e740d323a65110a9c67e8/ftw/solr/patches.py#L46-L49
In combination with the shortcut mentioned before that means that despite e.g. local roles of an object may have changed, these changes are not picked up by the indexer due to the shortcut. This leads to recursion being terminated by our patch which can cause children of such objects not being indexed correctly.
The issue can be reproduced in GEVER as we use
Authenticatedfor theRepositoryRootcontent type:https://github.com/4teamwork/opengever.core/blob/082e39b29b4c113c701496b6f067e0de9243164f/opengever/repository/profiles/default/workflows/opengever_repositoryroot_workflow/definition.xml#L73
Non-exhaustive possible solutions:
allowedRolesAndUsersindexer in combination with above patch and no longer use the shortcut.is_index_up_to_datealways returnFalsewhen the index value containsAuthenticatedorAnonymous