Today we faced a very weird problem involving Alfresco API REST search API. Alfesco version 6.2 Community on docker, alfresco search services 1.4.2 on docker.
We have an Alfresco type, and today we reached 1001 objects of this type. Since then, searches through the REST API began to give HTTP 403 errors. But there's more:
Searches using an admin were working, no problems. I could set maxItems to any number, and no issues.
Searches using a non-admin user were not working, UNLESS we set maxItems to 1, that was the number of items on which this user had visibility. Then, one result was returned, everything ok. Setting maxItems to 2, caused to return 403 error again.
After deleting the user's object, and reaching 1000 objets again, everything was working ok. Until someone created another object of this type. Then, searching with the non-admin user was giving us 403 error, no matter what number maxItems was set to.
We solved the issue by setting de good old system.acl.maxPermissionChecks property to a bigger number, but for me this solution is not good, and furthermore, I don't undertand WHY setting this property to a bigger number made this work. We had used this property to be able to get more than 1000 results in a single search, but never faced a permission error when trying to retrieve a resultSet bigger than 1000. I have to say we had always used java search API, not Alfresco REST API.
I would appreciate if someone can explain why did this solution work, and if we can solve this issue in another way than that.
Yes, we have permissions set on a site to a group, so everyone can create content.
But when someone creates an object of this type, we set inherit permission to false, and set specific permissions to another group (I think that shloud be irrelevant), leveraging user access to the cmwner and cm:creator properties, so the user can only access his own content on type based searches ("TYPE:'<my-type>'").
Reducing the search scope did not work neither, for example "TYPE:'<my-type>' AND cmwner:'<the user>' gave the same permission error when reaching the 1001 object limit.
So... if inheritance is enabled, there will be a lot less permission checks, let's say 1, 2 or 10 at most?
Alfresco is making permission checks on top of the node tree then, based on site permissions, and if we set specific permissions on every object, then we force them to make a lot more permission checks?