[MGNLUI-7528] Twin-column field limited to 500 rows Created: 19/Sep/22  Updated: 20/Sep/22  Resolved: 20/Sep/22

Status: Closed
Project: Magnolia UI
Component/s: admincentral
Affects Version/s: 6.2.24
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Thomas Comiotto Assignee: Unassigned
Resolution: Workaround exists Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    
Issue Links:
causality
relation
is related to SECURITY-3 Migrate security app to M6 framework In Progress
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Team: Nucleus

 Description   

Steps to reproduce

  1.  Create a dialog with a Twin-column field ($type twinColSelectField)
  2.  Populate it with more than 500 items

Expected results

Unlimited number of items should be possible

Actual results

Error: «Client tried fetch more rows than allowed. This is denied to prevent denial of service»
RcpInvoctionException: Unable to invoke method requestRows in com.vaadin.shared.data.DataRequestRpc

This is a known vaadin bug introduced in 8.14.x. The solution seems to setMaximumAllowedRows  on the DataCommunicator

Workaround

None. It's a blocker for us because we have more than 500 usergroups in the security app and will lose the ability to assign groups to users after an upgrade to Magnolia 6.

Development notes



 Comments   
Comment by Roman Kovařík [ 20/Sep/22 ]

Hi tcomiotto

 

Thanks for reporting the issue.

This is a known vaadin bug introduced in 8.14.x. The solution seems to setMaximumAllowedRows  on the DataCommunicator

This was actually a security fix, see https://vaadin.com/security/cve-2021-33609.

Unlimited number of items should be possible

This would expose the security problem again. Could be configurable, although many items in a multi select field is probably not so common/practical:

  • rendering all items without paging
  • missing filtering options
  • e.g. jcrMultiValueField might be better option for bigger data sets

None. It's a blocker for us because we have more than 500 usergroups in the security app and will lose the ability to assign groups to users after an upgrade to Magnolia 6.

The security app hasn't been migrated to vaadin8 framework yet so shouldn't be affected.

 

Regards

Roman

Comment by Thomas Comiotto [ 20/Sep/22 ]

Hi Roman,
You're right,  the security app isn't affected. It's actually a custom dialog loading usergroups, so will try a jcrMultiValueField there. So you can close this issue (for the moment).

Regards,
Thomas

Comment by Roman Kovařík [ 20/Sep/22 ]

Closing for now, feel free to reopen if needed

Generated at Mon Feb 12 09:46:58 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.