Search API doesnt enforce permissions on Document links

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member II

Search API doesnt enforce permissions on Document links

Jump to solution

Hello,

first of all thanks for reading my question!

When i create link to a document in share and want to get it in share it inherits permissions from an original document, but when i use search/nodes api it returns links to documents/folders regardless of permissions to original documents/folders so when users try to follow those links the get 403 error.

Can i add some condition to query so it woudnt return links to documents which user has no permission to see.

I will add pictures below:

Screenshot_10.pngScreenshot_15.pngScreenshot_14.pngScreenshot_13.pngScreenshot_11.png

1 Solution

Accepted Solutions
Highlighted
Master

Re: Search API doesnt enforce permissions on Document links

Jump to solution

What Alfresco Share does in filtering the link objects is not part of the regular permission model handling. It is a convenience filtering specific to the Share document library UI. You could use other operations in Alfresco Share, e.g. search, and would be able to find / access the link.
This convenience handling is of course missing in the ReST API, which simply returns all elements you are allowed to see. From a permission model perspective, you are allowed to see the link, but not the target. So the API of course returns you the link and its details.

This is all behaviour as designed and this issue is one of the known drawbacks of using link nodes via APIs which where not designed to apply any special logic to them.

View solution in original post

4 Replies
Highlighted
Alfresco Employee

Re: Search API doesnt enforce permissions on Document links

Jump to solution

You can exclude links by adding something like the following clause to your queries:

-TYPE:"app:filelink"
Software Engineer in Alfresco Search Team.
Highlighted
Active Member II

Re: Search API doesnt enforce permissions on Document links

Jump to solution

I want to get links, but only ones i have right to see.

Highlighted
Master

Re: Search API doesnt enforce permissions on Document links

Jump to solution

What Alfresco Share does in filtering the link objects is not part of the regular permission model handling. It is a convenience filtering specific to the Share document library UI. You could use other operations in Alfresco Share, e.g. search, and would be able to find / access the link.
This convenience handling is of course missing in the ReST API, which simply returns all elements you are allowed to see. From a permission model perspective, you are allowed to see the link, but not the target. So the API of course returns you the link and its details.

This is all behaviour as designed and this issue is one of the known drawbacks of using link nodes via APIs which where not designed to apply any special logic to them.

View solution in original post

Highlighted
Active Member II

Re: Search API doesnt enforce permissions on Document links

Jump to solution

Thank you soo much for explaining that in such great detail!