Help

Search API doesnt enforce permissions on Document links

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mire323
Active Member II
‎19 Mar 2020 6:14 PM

Search API doesnt enforce permissions on Document links

Jump to solution

Hello,

first of all thanks for reading my question!

When i create link to a document in share and want to get it in share it inherits permissions from an original document, but when i use search/nodes api it returns links to documents/folders regardless of permissions to original documents/folders so when users try to follow those links the get 403 error.

Can i add some condition to query so it woudnt return links to documents which user has no permission to see.

I will add pictures below:

Screenshot_10.pngScreenshot_15.pngScreenshot_14.pngScreenshot_13.pngScreenshot_11.png

0 Kudos
1 Solution

Accepted Solutions
afaust
Master
‎20 Apr 2020 5:17 PM

Re: Search API doesnt enforce permissions on Document links

Jump to solution

What Alfresco Share does in filtering the link objects is not part of the regular permission model handling. It is a convenience filtering specific to the Share document library UI. You could use other operations in Alfresco Share, e.g. search, and would be able to find / access the link.
This convenience handling is of course missing in the ReST API, which simply returns all elements you are allowed to see. From a permission model perspective, you are allowed to see the link, but not the target. So the API of course returns you the link and its details.

This is all behaviour as designed and this issue is one of the known drawbacks of using link nodes via APIs which where not designed to apply any special logic to them.

View solution in original post

4 Replies
angelborroy
Alfresco Employee
‎20 Mar 2020 8:48 AM

Re: Search API doesnt enforce permissions on Document links

Jump to solution

You can exclude links by adding something like the following clause to your queries:

-TYPE:"app:filelink"
Hyland Developer Evangelist
0 Kudos
mire323
Active Member II
‎19 Apr 2020 7:59 PM

Re: Search API doesnt enforce permissions on Document links

Jump to solution

I want to get links, but only ones i have right to see.

0 Kudos
afaust
Master
‎20 Apr 2020 5:17 PM

Re: Search API doesnt enforce permissions on Document links

Jump to solution

What Alfresco Share does in filtering the link objects is not part of the regular permission model handling. It is a convenience filtering specific to the Share document library UI. You could use other operations in Alfresco Share, e.g. search, and would be able to find / access the link.
This convenience handling is of course missing in the ReST API, which simply returns all elements you are allowed to see. From a permission model perspective, you are allowed to see the link, but not the target. So the API of course returns you the link and its details.

This is all behaviour as designed and this issue is one of the known drawbacks of using link nodes via APIs which where not designed to apply any special logic to them.

mire323
Active Member II
‎22 Apr 2020 1:41 PM

Re: Search API doesnt enforce permissions on Document links

Jump to solution

Thank you soo much for explaining that in such great detail!

Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.