[MGNLUI-7257] Deleting JCR items needs access to root which might lead to access denied exception Created: 21/Jun/22  Updated: 27/Sep/22  Resolved: 21/Sep/22

Status: Closed
Project: Magnolia UI
Component/s: None
Affects Version/s: 6.2.20
Fix Version/s: 6.3.0, 6.2.25

Type: Bug Priority: Neutral
Reporter: Carlos Cantalapiedra Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: Text File stacktrace.log    
Issue Links:
Problem/Incident
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLUI-7522 Implement system context solution Sub-task Completed  
MGNLUI-7523 Implement a non system context solution Sub-task Completed  
MGNLUI-7524 Rw Sub-task Completed Adam Siska  
MGNLUI-7525 Preint QA Sub-task Completed Adam Siska  
MGNLUI-7526 QA Sub-task Completed Jaromir Sarf  
MGNLUI-7529 Regression: JcrDatasource#evaluatePro... Sub-task Closed Michael Duerig  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: Maintenance of vaadin8 framework
Sprint: Nucleus 19
Story Points: 5
Team: Nucleus

 Description   

Steps to reproduce

  1. Go to Magnolia demo
  2. Log in as superuser, go to Security App and edit the userrole "/travel-demo-tour-editor"
  3. On the Access Control list tab set ACL for dam to "/tours" (Read/Write, Selected and sub-nodes)
  4. Log in as tina
  5. Go to Assets app and open "/tours" folder
  6. Delete one of the assets
  7. Publish deletion
  8. Once the deletion has been successful, click on any of the checkboxes on the left column (e.g., on the /travel folder)
  9. Check an error banner appears

If you click anywhere else, the error doesn't happen, it has the be a checkbox
an error banner with the error message "Access denied" appears, even though the deletion has been successful.

This happens, because there is a weird interaction with a deleted node directly under "/" at this point, please have a look.

Attached the full log stack trace.



 Comments   
Comment by Roman Kovařík [ 07/Sep/22 ]

Discovery:

Vaadin sometimes need to work with already deleted item(s).

For that we create tmp node/property at the root level which is not saved (is removed before Session#save) and therefore gone in following requests. So far so good.

Problem occurs if the user doesn't have access to root node:

  1. Can we create the tmp node in a node where the user has access? The answer is yes but then we don't know where is the node we should delete before save (we would have to search whole workspace to find the tmp nodes)
  2. Can we create the node in system context? This might be the solution but needs to be tested.
  3. Can we use a mock node? We use so called MissingNode in link fields. This works well although it's not a full replacement for a real tmp node. Some methods might not be implemented and called. Needs to be tested.

 

Comment by Adam Jones [ 08/Sep/22 ]

Pair with fcherchi 

Generated at Mon Feb 12 09:44:34 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.