Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-19124

Encountered NullPointerException due to dangling permission left after an LDAP group or user is deleted from the LDAP server

      Confluence will throw a NullPointerException below when it receives a Null value instead of a Group / User name when checking for Group / User permission.

      2010-03-24 16:11:01,478 ERROR [http-8080-6] [atlassian.confluence.servlet.ConfluenceServletDispatcher] sendError Could not execute action
       -- url: /pages/getpagepermissions.action | userName: clan | referer: http://localhost:8080/display/permission/Clan%27s+restricted+page
      java.lang.NullPointerException
      	at com.atlassian.confluence.user.PermittedUserFinder.checkGroupExplicitlyPermitted(PermittedUserFinder.java:51)
      	at com.atlassian.confluence.user.PermittedUserFinder.makeResult(PermittedUserFinder.java:43)
      	at com.atlassian.confluence.pages.actions.GetPagePermissionsAction.execute(GetPagePermissionsAction.java:84)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:168)
      	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
      	at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:55)
      	at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35)
      

      This can happen when an LDAP group / User was given a permission (eg. view, edit) in Confluence and then was deleted from the LDAP server.

      This problem will cause the specific user who created the permission in the first place to not able adding anymore permission to the space.

      Clicking on padlock or trying to edit Restrictions will result in the stack trace above in the log file.

      No error is visible from the browser.

      Workaround

      If you hit into this bug and not sure which group to remove from the permission list, the attached patch will help you to identify which groups are causing the problem.

      To install:

      1. Unzip the zip file into <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence
        The patch GetPagePermissionsAction.class should reside at <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence\pages\actions. If you don't have \pages\actions directories under <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence, create them.
      2. Add an extra line in <confluence install>\confluence\WEB-INF\classes\log4j.properties file:
        log4j.logger.com.atlassian.confluence.pages.actions.GetPagePermissionsAction=DEBUG
        
      3. Restart Confluence

      To use the patch:

      1. Visit the problematic page
      2. Click on padlock
      3. Check <confluence data>/logs/atlassian-confluence.log for something like below:
        010-03-25 11:23:13,212 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group1. Fetched result is: null
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: confluence-administrators. Fetched result is: confluence-administrators
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group2. Fetched result is: ldap-group2
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group3. Fetched result is: ldap-group3
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group4. Fetched result is: null
        

      In the above there are two LDAP groups that no longer exist (ldap-group1 and ldap-group4) and the Fetched result is null.

      For each of the identified groups, please remove by visiting Space Admin > Security > Restricted Pages. Click on the padlock icon for the problematic page, this will take you to a page info view where you can remove individual permissions.

      Use the same step above if you want to remove permissions for Null user objects.

      The patch will print similar information like above for user names:

      2010-04-01 11:32:31,250 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: clan. Fetched result is: clan
      2010-04-01 11:32:31,265 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: roy. Fetched result is: roy
      2010-04-01 11:32:31,265 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: bambang. Fetched result is: null
      

        1. findNullUsersAndGroups.patch
          2 kB
          Roy Hartono [Atlassian]
        2. pages.zip
          4 kB
          Roy Hartono [Atlassian]

            [CONFSERVER-19124] Encountered NullPointerException due to dangling permission left after an LDAP group or user is deleted from the LDAP server

            Matt Ryall added a comment -

            Jonas: it is now possible to view and edit the restrictions as any user that has "Restrict Page" permission in the space. (That includes users in the "confluence-administrators" group, which is exempt from permission checking.) A space administrator can also remove restrictions on the page from the "Restricted Pages" list in the space admin section.

            Matt Ryall added a comment - Jonas: it is now possible to view and edit the restrictions as any user that has "Restrict Page" permission in the space. (That includes users in the "confluence-administrators" group, which is exempt from permission checking.) A space administrator can also remove restrictions on the page from the "Restricted Pages" list in the space admin section.

            This issue is marked as fixed... But how? What has been changed? What now happens if permissions are set for a user that has been removed? Is that permission removed from the page then automatically? Or is it now simply possible to view and edit page restrictions as a system administrator?

            Deleted Account (Inactive) added a comment - This issue is marked as fixed... But how? What has been changed? What now happens if permissions are set for a user that has been removed? Is that permission removed from the page then automatically? Or is it now simply possible to view and edit page restrictions as a system administrator?

            Walt Fles added a comment -

            When will 3.5.12 be available?

            Walt Fles added a comment - When will 3.5.12 be available?

            Any chance CONF-22377 will be fixed in the 3.5.x series of releases? It's related to this (in a link sense)

            David Corley added a comment - Any chance CONF-22377 will be fixed in the 3.5.x series of releases? It's related to this (in a link sense)

            Matt Ryall added a comment -

            David, I'd really like to fix that issue too, but unfortunately it isn't closely related. I agree that your suggested approach would be ideal.

            Matt Ryall added a comment - David, I'd really like to fix that issue too, but unfortunately it isn't closely related. I agree that your suggested approach would be ideal.

            Hey Matt,
            Is there any chance you can also look at fixing CONF-11467 as part of a broader fix for removed users?
            I think there really needs to be an admin interface where Confluence shows a list of users it has detected to be no longer in the relevant user directory.
            For each user, a list of the relevant spaces/pages/permissions could be listed, and appropriate actions available for each.

            David Corley added a comment - Hey Matt, Is there any chance you can also look at fixing CONF-11467 as part of a broader fix for removed users? I think there really needs to be an admin interface where Confluence shows a list of users it has detected to be no longer in the relevant user directory. For each user, a list of the relevant spaces/pages/permissions could be listed, and appropriate actions available for each.

            The page permissions dialog definitely wasn't working properly in 3.5.x when users have disappeared from Confluence due to being removed from LDAP. I'm looking into a fix.

            Matt Ryall added a comment - The page permissions dialog definitely wasn't working properly in 3.5.x when users have disappeared from Confluence due to being removed from LDAP. I'm looking into a fix.

            Walt Fles added a comment -

            This appears to be working properly in 3.5.9. Has anybody else noticed this?

            Walt Fles added a comment - This appears to be working properly in 3.5.9. Has anybody else noticed this?

            Chris Peka added a comment -

            This is also a serious problem for us. We have new several new joiners and leavers every day, and as time goes on this is causing chaos.

            Chris Peka added a comment - This is also a serious problem for us. We have new several new joiners and leavers every day, and as time goes on this is causing chaos.

            It still does not work in 3.5.5. Looks like we have to remove such restrictions directly in the database, which is not a very "user-friendly" workaround. Waiting for this issue to be resolved!

            Anna Gunich added a comment - It still does not work in 3.5.5. Looks like we have to remove such restrictions directly in the database, which is not a very "user-friendly" workaround. Waiting for this issue to be resolved!

              matt@atlassian.com Matt Ryall
              rhartono Roy Hartono [Atlassian]
              Affected customers:
              45 This affects my team
              Watchers:
              40 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 8h
                  8h
                  Remaining:
                  Remaining Estimate - 8h
                  8h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified