Closed thijslemmens closed 4 years ago
thijslemmens
commented
5 years ago This Site information request is probably blocked by a custom permission module: eu.xenit.alfresco.metadata.permissions.repo.security.BaseMetadataRestrictionsFilter.doFilter(BaseMetadataRestrictionsFilter.java:198)
AFaust
commented
5 years ago The site service check is actually to determine if the node is in a site or not, so it cannot be avoided. If the user happens to not have access to any node on the hierarchy to the root, this exception will occur. I believe the best option in this case will be to simply use runAsSystem within the AOP interceptor for the call to the site service.
thijslemmens notifications@github.com schrieb am Di., 7. Mai 2019, 08:35:
This Site information request is probably blocked by a custom permission module:
eu.xenit.alfresco.metadata.permissions.repo.security.BaseMetadataRestrictionsFilter.doFilter(BaseMetadataRestrictionsFilter.java:198)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Acosix/alfresco-simple-content-stores/issues/19#issuecomment-489927880, or mute the thread https://github.com/notifications/unsubscribe-auth/AAQ35QND2UNDBVGU5XMD2MLPUEPMBANCNFSM4HLFVZKQ .
thijslemmens
commented
5 years ago I'm willing to contribute to simple content stores
I want to make sure that what I have in mind can result in an acceptable PR. We don't need any checks for Sites, since all content is handled the same way, no site dependent behavior. I'd like to implement a global property to disable it.
AFaust
commented
5 years ago A configuration property to control the enablement of the SiteAttributesInitializer, with *.enabled property having a default value of true, to be overriden via global properties, would be acceptable. If you could include the runAsSystem for the call to SiteService in the same PR even though you are not going to use it yourself, that would be appreciated, because that would be the actual fix to this problem, while the property would just be a workaround for your specific case.
thijslemmens
commented
5 years ago A configuration property to control the enablement of the SiteAttributesInitializer, with *.enabled property having a default value of true, to be overriden via global properties, would be acceptable. If you could include the runAsSystem for the call to SiteService in the same PR even though you are not going to use it yourself, that would be appreciated, because that would be the actual fix to this problem, while the property would just be a workaround for your specific case.
I skipped the flag implementation. The runAsSystem is enough.
AFaust
commented
5 years ago PR #20 fixes this for Alfresco 5.0 - I will process changes for other branches (and properly address changes to parent POMs from Acosix Maven project) when I get a chance....
thijslemmens
commented
5 years ago We plan to upgrade to 6.1 in the near future, so I can test the fix again and do a follow up PR.
Op wo 8 mei 2019 01:29 schreef Axel Faust notifications@github.com:
PR #20 https://github.com/Acosix/alfresco-simple-content-stores/pull/20 fixes this for Alfresco 5.0 - I will process changes for other branches (and properly address changes to parent POMs from Acosix Maven project) when I get a chance....
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Acosix/alfresco-simple-content-stores/issues/19#issuecomment-490290837, or mute the thread https://github.com/notifications/unsubscribe-auth/ABSIMZWE2DWEFGJX3ZEFZLDPUIGGDANCNFSM4HLFVZKQ .
Op wo 8 mei 2019 01:29 schreef Axel Faust notifications@github.com:
PR #20 https://github.com/Acosix/alfresco-simple-content-stores/pull/20 fixes this for Alfresco 5.0 - I will process changes for other branches (and properly address changes to parent POMs from Acosix Maven project) when I get a chance....
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Acosix/alfresco-simple-content-stores/issues/19#issuecomment-490290837, or mute the thread https://github.com/notifications/unsubscribe-auth/ABSIMZWE2DWEFGJX3ZEFZLDPUIGGDANCNFSM4HLFVZKQ .
Environment:
Configuration:
A user that is collaborator on a file cannot update and gets an access denied. Stacktrace is indicating a Site lookup in an AOP interceptor. Sites are not used in this context.
[ALFRESCO] 2019-05-06 16:35:44,617 ERROR [extensions.webscripts.AbstractRuntime] [http-bio-8080-exec-177] Exception from executeScript: 04063951 Access Denied. You do not have the appropriate permissions to perform this operation. org.alfresco.repo.security.permissions.AccessDeniedException: 04063951 Access Denied. You do not have the appropriate permissions to perform this operation. at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:57) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:86) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464) at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:76) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.enterprise.repo.authorization.AuthorizationStatusInterceptor.invoke(AuthorizationStatusInterceptor.java:189) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy29.getPrimaryParent(Unknown Source) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1412) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSiteNodeRef(SiteServiceImpl.java:1415) at org.alfresco.repo.site.SiteServiceImpl.getSite(SiteServiceImpl.java:1373) at sun.reflect.GeneratedMethodAccessor416.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.transaction.CheckTransactionAdvice.invoke(CheckTransactionAdvice.java:54) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.transaction.RetryingTransactionAdvice$1.execute(RetryingTransactionAdvice.java:71) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464) at org.alfresco.repo.transaction.RetryingTransactionAdvice.invoke(RetryingTransactionAdvice.java:74) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy122.getSite(Unknown Source) at de.acosix.alfresco.simplecontentstores.repo.store.context.SiteAttributesInitializer.initialize(SiteAttributesInitializer.java:70) at de.acosix.alfresco.simplecontentstores.repo.aop.InitContentStoreContextInterceptor$1.execute(InitContentStoreContextInterceptor.java:79) at de.acosix.alfresco.simplecontentstores.repo.store.context.ContentStoreContext.executeInNewContext(ContentStoreContext.java:134) at de.acosix.alfresco.simplecontentstores.repo.aop.InitContentStoreContextInterceptor.invoke(InitContentStoreContextInterceptor.java:59) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at de.acosix.alfresco.simplecontentstores.repo.aop.ContentStoreCapsEmulatingInterceptor.invoke(ContentStoreCapsEmulatingInterceptor.java:194) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy24.getWriter(Unknown Source) at org.alfresco.repo.content.ContentServiceImpl.getWriter(ContentServiceImpl.java:508) at sun.reflect.GeneratedMethodAccessor415.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.model.ml.MLContentInterceptor.invoke(MLContentInterceptor.java:136) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy59.getWriter(Unknown Source) at eu.xenit.apix.alfresco.metadata.NodeService.setContent(NodeService.java:494) at eu.xenit.ethias.integration.v3.GeneralWebscripts.updateContent(GeneralWebscripts.java:140) at sun.reflect.GeneratedMethodAccessor1315.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:210) at com.github.dynamicextensionsalfresco.webscripts.AnnotationWebScript.invokeUriHandlerMethod(AnnotationWebScript.java:154) at com.github.dynamicextensionsalfresco.webscripts.AnnotationWebScript.execute(AnnotationWebScript.java:76) at com.github.dynamicextensionsalfresco.webscripts.WebScriptProxy.execute(WebScriptProxy.java:71) at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:519) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464) at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587) at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656) at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:428) at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308) at de.acosix.alfresco.utility.repo.web.scripts.TenantExtensibilityContainer.executeScript(TenantExtensibilityContainer.java:206) at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399) at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210) at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at brave.servlet.TracingFilter.doFilter(TracingFilter.java:76) at eu.xenit.alfresco.instrumentation.servlet.ServletContextTracingFilter.doFilter(ServletContextTracingFilter.java:29) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at eu.xenit.alfresco.metadata.permissions.repo.security.BaseMetadataRestrictionsFilter.doFilter(BaseMetadataRestrictionsFilter.java:198) at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at eu.xenit.alfresco.metadata.permissions.repo.security.BaseMetadataRestrictionsFilter.doFilter(BaseMetadataRestrictionsFilter.java:198) at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied. at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86) at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398) at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53) ... 128 more