there is a shortcut for Authenticated and Anonymous which will limit the allowedRolesAndUsers indexed values to one role should it appear in the index. This is an issue since our patch relies on the indexed values and compares them to detect if recursion can be terminated:
In combination with the shortcut mentioned before that means that despite e.g. local roles of an object may have changed, these changes are not picked up by the indexer due to the shortcut. This leads to recursion being terminated by our patch which can cause children of such objects not being indexed correctly.
The issue can be reproduced in GEVER as we use Authenticated for the RepositoryRoot content type:
There is an issue with the
reindexObjectSecurity
patch in combination with a shortcut in theallowedRolesAndUsers
indexer. In:https://github.com/plone/Products.CMFPlone/blob/f80809340cb8263ed5a217d8f311e26b2c98d1ef/Products/CMFPlone/CatalogTool.py#L148-L151
there is a shortcut for
Authenticated
andAnonymous
which will limit theallowedRolesAndUsers
indexed values to one role should it appear in the index. This is an issue since our patch relies on the indexed values and compares them to detect if recursion can be terminated:https://github.com/4teamwork/ftw.solr/blob/2336c4c114574773f25e740d323a65110a9c67e8/ftw/solr/patches.py#L46-L49
In combination with the shortcut mentioned before that means that despite e.g. local roles of an object may have changed, these changes are not picked up by the indexer due to the shortcut. This leads to recursion being terminated by our patch which can cause children of such objects not being indexed correctly.
The issue can be reproduced in GEVER as we use
Authenticated
for theRepositoryRoot
content type:https://github.com/4teamwork/opengever.core/blob/082e39b29b4c113c701496b6f067e0de9243164f/opengever/repository/profiles/default/workflows/opengever_repositoryroot_workflow/definition.xml#L73
Non-exhaustive possible solutions:
allowedRolesAndUsers
indexer in combination with above patch and no longer use the shortcut.is_index_up_to_date
always returnFalse
when the index value containsAuthenticated
orAnonymous