Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-14387

DA: Too many objects returned from an edge's relationship field when privilege filter should limit

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: None
    • Labels:

      Description

      On a request such as: 

      http://{{host}}:{{port}}/openidm/managed/user/scarter/roles?_queryFilter=true&_fields=*,members/*

      if there is a privilege filter that should limit members objects, the total objects are still
      being returned. For example, a privilege of "/userName eq 'scarter'" on "managed/user" should limit the results for scarter's roles' members to only those with userName equal to scarter, yet all members are returned.

      A filter (conditionalFilter(matchResourcePath("^.(managed|internal)/.$"), privilegeExecutorContextFilter)) is added to the AugmentingIDMConnectionFactoryProxy which would add a PrivilegeExecutorContext to an "external" Context so that privilege filters will be considered during reads and queries. 

      The connection used to be passed to this Class's Constructor, retaining the type of connection the filters are used for.

      After the commit, 5cbad98a4cb, the connection used for field augmentation is the INTERNAL_ROUTER_COMPONENT_NAME_FILTER and this connection does not have the filter to add the PrivilegeExecutorContext to the Context, so privilege filters are not getting considered and too many results are being returned.

      Need to apply the PrivilegeExecutorContextFilter at a lower level in the ServletConnectionFactory, or need to change field augmentation to use the AugmentingIDMConnectionFactoryProxy through constructor (by reference will not work, that causes circular reference). Research other solutions to possibly remove PrivilegeExecutorContextFilter.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                katie.gonzalez Katie Gonzalez
                Reporter:
                katie.gonzalez Katie Gonzalez
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: