cancel
Showing results for 
Search instead for 
Did you mean: 

Search API doesnt enforce permissions on Document links

mire323
Confirmed Champ
Confirmed Champ

Hello,

first of all thanks for reading my question!

When i create link to a document in share and want to get it in share it inherits permissions from an original document, but when i use search/nodes api it returns links to documents/folders regardless of permissions to original documents/folders so when users try to follow those links the get 403 error.

Can i add some condition to query so it woudnt return links to documents which user has no permission to see.

I will add pictures below:

imageimageimageimageimage

1 ACCEPTED ANSWER

afaust
Legendary Innovator
Legendary Innovator

What Alfresco Share does in filtering the link objects is not part of the regular permission model handling. It is a convenience filtering specific to the Share document library UI. You could use other operations in Alfresco Share, e.g. search, and would be able to find / access the link.
This convenience handling is of course missing in the ReST API, which simply returns all elements you are allowed to see. From a permission model perspective, you are allowed to see the link, but not the target. So the API of course returns you the link and its details.

This is all behaviour as designed and this issue is one of the known drawbacks of using link nodes via APIs which where not designed to apply any special logic to them.

View answer in original post

4 REPLIES 4

angelborroy
Community Manager Community Manager
Community Manager

You can exclude links by adding something like the following clause to your queries:

-TYPE:"app:filelink"
Hyland Developer Evangelist

I want to get links, but only ones i have right to see.

afaust
Legendary Innovator
Legendary Innovator

What Alfresco Share does in filtering the link objects is not part of the regular permission model handling. It is a convenience filtering specific to the Share document library UI. You could use other operations in Alfresco Share, e.g. search, and would be able to find / access the link.
This convenience handling is of course missing in the ReST API, which simply returns all elements you are allowed to see. From a permission model perspective, you are allowed to see the link, but not the target. So the API of course returns you the link and its details.

This is all behaviour as designed and this issue is one of the known drawbacks of using link nodes via APIs which where not designed to apply any special logic to them.

mire323
Confirmed Champ
Confirmed Champ

Thank you soo much for explaining that in such great detail!