AnsweredAssumed Answered

AuthorityService, SearchService and document ownership

Question asked by marco.altieri on Feb 18, 2011
Latest reply on Feb 23, 2011 by marco.altieri

if a user has the  ownership of a document (inside a Share document library) he can modify it even if he doesn't belong to the site anymore.
This is considered a security issue by a client.
To solve this problem, I'm trying to develop a custom AuthorityService that intercepts the removing of a user from a group to verify if, after this removing, he cannot see a site anymore.
What I want to do is to verify which subfolders of the "Company Home/Sites" folder the user can see before and after the removing: if a subfolder is not visible anymore, I suppose that the user has been removed from the corresponding site. With the list of all sites from which he has been removed, I can easily find the documents that he owns.

   public void removeAuthority(String parentName, String childName)
      List<NodeRef> sitesBefore = null;
      List<NodeRef> sitesAfter;
      if (!childName.startsWith("GROUP_")) {
         sitesBefore = getVisibleSites(childName, null);
      authorityDAO.removeAuthority(parentName, childName);
      if (sitesBefore != null) {
         sitesAfter = getVisibleSites(childName, sitesBefore);

   private List<NodeRef> getVisibleSites(String childName, final List<NodeRef> excludes) {
      return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<List<NodeRef>>() {
         public List<NodeRef> doWork() throws Exception
            String luceneSearch = "PATH:\"/app:company_home/st:sites/*\"";
                 StoreRef storeRef = new StoreRef(StoreRef.PROTOCOL_WORKSPACE, "SpacesStore");
                 ResultSet rs = searchService.query(storeRef, SearchService.LANGUAGE_LUCENE, luceneSearch);
            List<NodeRef> sites = rs.getNodeRefs();
            if (excludes != null) {
            QName name = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "name");
                 for (NodeRef site: sites) {
                    Serializable siteName = nodeService.getProperty(site, name);
                    System.out.println("siteName = " + siteName);
            return sites;

      }, childName);

Unfortunately when I call the getVisibleSites the second time the user can still see the same list of sites. It seems that the SearchService doesn't see the removing that has been already executed.

To set the searchService of the custom AuthorityService I have used the bean SearchService.

Can you help me please?