Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-19124

Encountered NullPointerException due to dangling permission left after an LDAP group or user is deleted from the LDAP server

    XMLWordPrintable

Details

    Description

      Confluence will throw a NullPointerException below when it receives a Null value instead of a Group / User name when checking for Group / User permission.

      2010-03-24 16:11:01,478 ERROR [http-8080-6] [atlassian.confluence.servlet.ConfluenceServletDispatcher] sendError Could not execute action
 -- url: /pages/getpagepermissions.action | userName: clan | referer: http://localhost:8080/display/permission/Clan%27s+restricted+page
java.lang.NullPointerException
	at com.atlassian.confluence.user.PermittedUserFinder.checkGroupExplicitlyPermitted(PermittedUserFinder.java:51)
	at com.atlassian.confluence.user.PermittedUserFinder.makeResult(PermittedUserFinder.java:43)
	at com.atlassian.confluence.pages.actions.GetPagePermissionsAction.execute(GetPagePermissionsAction.java:84)
	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:168)
	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
	at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:55)
	at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35)

      This can happen when an LDAP group / User was given a permission (eg. view, edit) in Confluence and then was deleted from the LDAP server.

      This problem will cause the specific user who created the permission in the first place to not able adding anymore permission to the space.

      Clicking on padlock or trying to edit Restrictions will result in the stack trace above in the log file.

      No error is visible from the browser.

      Workaround

      If you hit into this bug and not sure which group to remove from the permission list, the attached patch will help you to identify which groups are causing the problem.

      To install:

      1. Unzip the zip file into <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence
        The patch GetPagePermissionsAction.class should reside at <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence\pages\actions. If you don't have \pages\actions directories under <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence, create them.
      2. Add an extra line in <confluence install>\confluence\WEB-INF\classes\log4j.properties file: 
        log4j.logger.com.atlassian.confluence.pages.actions.GetPagePermissionsAction=DEBUG
      3. Restart Confluence

      To use the patch:

      1. Visit the problematic page
      2. Click on padlock
      3. Check <confluence data>/logs/atlassian-confluence.log for something like below: 
        010-03-25 11:23:13,212 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group1. Fetched result is: null
2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: confluence-administrators. Fetched result is: confluence-administrators
2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group2. Fetched result is: ldap-group2
2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group3. Fetched result is: ldap-group3
2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group4. Fetched result is: null

      In the above there are two LDAP groups that no longer exist (ldap-group1 and ldap-group4) and the Fetched result is null.

      For each of the identified groups, please remove by visiting Space Admin > Security > Restricted Pages. Click on the padlock icon for the problematic page, this will take you to a page info view where you can remove individual permissions.

      Use the same step above if you want to remove permissions for Null user objects.

      The patch will print similar information like above for user names:

      2010-04-01 11:32:31,250 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: clan. Fetched result is: clan
2010-04-01 11:32:31,265 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: roy. Fetched result is: roy
2010-04-01 11:32:31,265 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: bambang. Fetched result is: null

      Attachments

        1. findNullUsersAndGroups.patch
          2 kB
        2. pages.zip
          4 kB

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-18154 PermittedUserFinder.checkGroupExplicitlyPermitted throws NullPointerException when supplied group is null

          • Low - Low priority issues
          • Closed
          is duplicated by

          Suggestion - CONFSERVER-20289 Unable to See Edit Page Restrictions Dialog

          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-14104 Deleting users from LDAP, does not remove their 'Can-Use' permission

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-22377 Members of confluence-administrators cannot edit page restrictions on restricted pages

          • Low - Low priority issues
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-21645 Daily report stops functioning when user is removed directly from LDAP server

          • Low - Low priority issues
          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              matt@atlassian.com Matt Ryall
              rhartono Roy Hartono [Atlassian]
              Votes:
              45 Vote for this issue
              Watchers:
              40 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 8h
                  8h
                  Remaining:
                  Remaining Estimate - 8h
                  8h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified