Hyland Connect

Olivier_Salaün · ‎01-05-2017

I submit a bug report+patch here because I could not find out how to get a JIRA account.

We encountered an exception while trying to remove a permission associated to a group. The issue is related to the group ID format that includes ":" characters that conflicts with Nuxeo's ACE format that also uses ":" as a separator.

The exception we get while trying to remove permissions for group "ur1:dsi:snum:groupes:groupe2" : ****** chain ******
/> Name: Document.RemovePermission
/> Exception: OperationException
/> Caught error: Failed to invoke operation Document.RemovePermission
/> Caused by: java.lang.NumberFormatException: For input string: "groupe2"
/> ****** Hierarchy calls ******
/> org.nuxeo.ecm.automation.core.operations.document.RemovePermission

at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:232)
/> at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:115)
/> at org.nuxeo.ecm.automation.server.jaxrs.OperationResource.execute(OperationResource.java:51)
/> at org.nuxeo.ecm.automation.server.jaxrs.ExecutableResource.doPost(ExecutableResource.java:61)
/> ... 88 more
/> Caused by: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation Document.RemovePermission
/> at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:182)
/> at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.doInvoke(CompiledChainImpl.java:128)
/> at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.invoke(CompiledChainImpl.java:114)
/> at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:208)
/> ... 91 more
/> Caused by: java.lang.NumberFormatException: For input string: "groupe2"
/> at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
/> at java.lang.Long.parseLong(Long.java:589)
/> at java.lang.Long.valueOf(Long.java:803)
/> at org.nuxeo.ecm.core.api.security.ACE.fromId(ACE.java:82)
/> at org.nuxeo.ecm.automation.core.operations.document.RemovePermission.removePermission(RemovePermission.java:83)
/> at org.nuxeo.ecm.automation.core.operations.document.RemovePermission.run(RemovePermission.java:61)
/> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
/> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
/> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
/> at java.lang.reflect.Method.invoke(Method.java:497)
/> at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:164)
/> at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:170)
/> ... 94 more

Attached is a patch that preserves the groupId within an ACE; the aceId is analyzed using a regular expression instead of split().

Guillaume_Renar · ‎01-05-2017

Hello. Best way to submit a patch is to create a Pull Request on Github (https

Olivier_Salaün · ‎01-05-2017

Thank you for your quick answer. I will do a submit a pull request for this.

Regarding the relevance of this proposal, I forgot to mention that our Nuxeo platform is configured to use external users and groups defined in our LDAP directory. This type of group IDs were correctly supported with Nuxeo 5.8 and we can't afford to change our groups naming schema because it would have consequences for all LDAP consuming apps.

Note also that the proposed code change does not break the ACE format logic; it just makes the ACE parser more precise and therefore more robust to unexpected username/group ID formats.

Regards

Florent_Guillau · ‎01-05-2017

Thanks for the pull request. Please see my comments on it.

Florent_Guillau · ‎01-05-2017

[NXP-21421](https

Florent_Guillau · ‎01-07-2017

The next hotfix version will include the correction.

pibou_Bouvret · ‎01-05-2017

The colon is the default separator used in the nuxeo-platform-shibboleth-groups-web addon (tree view of groups).

Hyland Connect

Permissions for groups - bug report and patch