Content API isn't respecting permissions

[bryanboza]

We have problems validating permissions in the content API when you try to get content via REST, this because an anonymous user can get private content.

Expected Behavior

We should validate if the requesting user have permissions to get the requested content

Current Behavior

An anonymous user is able to get content from any content type, without validate if have permissions or not

Steps to Reproduce (for bugs)

1. Create a new content type
2. Add some contents to this content type
3. Edit the content type permissions, and set permissions just to admin
4. Apply cascade changes
5. Make sure every piece of content have the same permissions
6. Try to get content from this content type via REST

Your Environment

Tested on master // Postgres // Postman

[bryanboza]

Tested after the last changes and we still having the same problem, but to reproduce you should add some pieces of content to the content type before change the permissions... Seems the problems can be with the reset all permissions process. To recreate:

• Create a new content type
• Add a piece of content
• Go to the content type permissions and remove the anonymous permissions and add ONLY to admin user
• Reset all children permissions and apply changes
• Try to get the content via REST

FYI: After reindex we are unable to get these contents

[jcastro-dotcms]

PR core: https://github.com/dotCMS/core/pull/12685 PR ee : https://github.com/dotCMS/enterprise-2.x/pull/542

[bryanboza]

Ok, after test the last changes, now the original problem has been fixed, but now we are having another problem with permissions:

• [ ] When you add permissions to content types, this should apply this permissions just to the new contentlets, not to existing ones, just in case that you apply cascade changes. But right now when you add some permissions to any content type, this is applying cascade changes automatically

SC: https://screencast.com/t/BU2JpjveWR

[wezell]

@bryanboza actually, permissions are loaded lazily. This means that if you change permissions without first loading the content, it will get the new permissions. A bug would be:

1. Load the content check the permissions
2. Change the permissions on a subfolder and don't cascade them
3. Check the permissions on the content again and see that they have not been changed.
4. cascade the folder permissions, let it finish and then check the content permissions again - they should be changed.

[bryanboza]

Ok @wezell, actually your case works as expected, but if you try to reproduce my case on demo.dotcms.com, we have a totally different behavior. Steps:

• Create a new content type
• Add a new contentlet to this content type, and check the permissions
• Now add some role, to the content type permissions. Apply the changes but don't cascade
• Check again the existing contentlet permissions. You should only the CMS Anonymous role (by default)

However we have two roles, the default and the new one. SC: https://screencast.com/t/10RVNQko

[jgambarios]

Note to QA: After a meeting with Will we realize the issue reported in this https://github.com/dotCMS/core/issues/12536#issuecomment-333656959 is an expected behaviour.

[bryanboza]

Fixed...