Read permissions are not checked for objects in the search expression but not included in the result

[GoogleCodeExporter]

I'm not sure whether this is a bug or if it's considered a feature.  In any 
case I found it surprising enough to report it here, so it can be discussed.

It seems that for a search, read permissions are only checked for objects 
included in the result.  No permissions seem to be checked at all for objects 
that appear in the search expression only, not included in the result.

I stumbled over the issue when I realized that I forgot to set any read 
permissions on InvestigationInstrument and then I wondered why TopCAT could 
still work, see case 1.  But the issue may have more serious consequences then 
this, see other cases.

What steps will reproduce the problem?
# case 1: user has read permission on this particular Investigation, but no
# permission on InvestigationInstrument at all:
>>> client.search("Investigation.name <-> InvestigationInstrument <-> 
Instrument [name = 'E2']")
[2010-E2-0489-1]
# case 2: user has no read permission on Investigation 2012-EDDI-0390-1, still 
just
# by guessing the name, he can check which Instrument the investigation uses:
>>> client.search("Instrument.name <-> InvestigationInstrument <-> 
Investigation [name = '2012-EDDI-0390-1']")
[EDDI]
# case 3: ... or which users are involved in it:
>>> client.search("User.name <-> InvestigationUser <-> Investigation [name = 
'2012-EDDI-0390-1']")
[nbour]
# case 4: a user that has read permission on User and on Instrument, but no read
# permission on any Investigation at all, can still check which user works on 
which
# Instrument:
>>> for inst in client.search("Instrument.name"):
...   u = client.search("User.name <-> InvestigationUser <-> Investigation <-> 
InvestigationInstrument <-> Instrument [name = '%s']" % inst)
...   print "%s: %s" % (inst, u)
... 
E2: [ahau]
EDDI: [nbour]
HIKE: [jbotu, nbour, rbeck]

What is the expected output? What do you see instead?
I'd expect empty search results in all cases, as the user did not have 
permission to access the item he used in the search expressions.

Please use labels and text to provide additional information.
ICAT version is 4.3.2.

Original issue reported on code.google.com by rolf.kr...@helmholtz-berlin.de on 3 Mar 2014 at 4:43

[GoogleCodeExporter]

It is considered a feature - however I am accepting the bug to ensure that I 
remember to address it in the documentation. The reason for the behaviour is 
that to ensure access is permitted to all quantities required in the query 
could lead to very time consuming queries. Some cases leading to unexpectedly 
long queries have already been reported by Tom and I don't want to make matters 
considerably worse by adding all these extra clauses to the JPQL query that I 
generate and which in turn is converted to SQL. Do you have a real use case for 
checking read access to all the information used in evaluating the query rather 
than just the returned results?

Original comment by dr.s.m.f...@gmail.com on 10 Mar 2014 at 1:09

• Changed state: Accepted

[GoogleCodeExporter]

The issue causes ICAT to leak all sorts of information on all investigations to 
all users.  There is currently no practical way to prevent this by access 
rules.  All it takes is read permission on the instruments and some creativity 
on formulating smart queries to get any information on the investigations.

We at HZB haven't setup our data policy yet, but I guess we will have at least 
some period of time where read access to investigation data should be limited 
exclusively to the investigators.  So the use case would be an investigation in 
the ICAT that should not be public.

I'm well aware that performance is an issue here and I do not claim that I'm 
able to suggest a solution.  I merely state that we do have a problem.

Original comment by rolf.kr...@helmholtz-berlin.de on 12 Mar 2014 at 8:22

[GoogleCodeExporter]

I think the only thing you can do is to determine if something is true. For 
example you can find out if there is an Investigation with a certain word in 
its name or description - but you cannot then see the context. I think that 
this should be sufficient for most people. Perhaps we should discuss this in 
Dublin as the meeting has currently a rather light agenda.

Steve

Original comment by dr.s.m.f...@gmail.com on 13 Mar 2014 at 10:00

[GoogleCodeExporter]

As there has been no more discussion I am marking this as WontFix

Steve

Original comment by dr.s.m.f...@gmail.com on 8 Apr 2014 at 5:16

• Changed state: WontFix