Hyland Connect

narkuss · ‎06-09-2021

Hi all,

Today we faced a very weird problem involving Alfresco API REST search API. Alfesco version 6.2 Community on docker, alfresco search services 1.4.2 on docker.

We have an Alfresco type, and today we reached 1001 objects of this type. Since then, searches through the REST API began to give HTTP 403 errors. But there's more:

Searches using an admin were working, no problems. I could set maxItems to any number, and no issues.
Searches using a non-admin user were not working, UNLESS we set maxItems to 1, that was the number of items on which this user had visibility. Then, one result was returned, everything ok. Setting maxItems to 2, caused to return 403 error again.
After deleting the user's object, and reaching 1000 objets again, everything was working ok. Until someone created another object of this type. Then, searching with the non-admin user was giving us 403 error, no matter what number maxItems was set to.

We solved the issue by setting de good old system.acl.maxPermissionChecks property to a bigger number, but for me this solution is not good, and furthermore, I don't undertand WHY setting this property to a bigger number made this work. We had used this property to be able to get more than 1000 results in a single search, but never faced a permission error when trying to retrieve a resultSet bigger than 1000. I have to say we had always used java search API, not Alfresco REST API.

I would appreciate if someone can explain why did this solution work, and if we can solve this issue in another way than that.

Thanks

angelborroy · ‎06-11-2021

Hi,

I made some local tests trying to reproduce this issue.

My guessing is that you have individual permissions (not inherited) for each object of that type. Is that the use case?

Not sure if there is another approach if that is the case...

Hyland Developer Evangelist

narkuss · ‎06-14-2021

Thanks for your response.

Yes, we have permissions set on a site to a group, so everyone can create content.

But when someone creates an object of this type, we set inherit permission to false, and set specific permissions to another group (I think that shloud be irrelevant), leveraging user access to the cmwner and cm:creator properties, so the user can only access his own content on type based searches ("TYPE:'<my-type>'").

Reducing the search scope did not work neither, for example "TYPE:'<my-type>' AND cmwner:'<the user>' gave the same permission error when reaching the 1001 object limit.

angelborroy · ‎06-14-2021

I guess that the problem is coming from that. Everytime you disable inheritance, a new permission check may be added to the query, so in the end you are facing the problem you are describing.

I'd try to think on another permissions schema that doesn't create one specific permission per node.

Hyland Developer Evangelist

narkuss · ‎06-14-2021

So... if inheritance is enabled, there will be a lot less permission checks, let's say 1, 2 or 10 at most?

Alfresco is making permission checks on top of the node tree then, based on site permissions, and if we set specific permissions on every object, then we force them to make a lot more permission checks?

Thanks for your response

angelborroy · ‎06-14-2021

From my understanding the problem you are facing is exactly that. But I maybe wrong.

If you can run a quick test with inheritance enabled, that will help us to validate my approach.

Hyland Developer Evangelist

Hyland Connect

Permission errors on search