Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-19124

Encountered NullPointerException due to dangling permission left after an LDAP group or user is deleted from the LDAP server

XMLWordPrintable

      Confluence will throw a NullPointerException below when it receives a Null value instead of a Group / User name when checking for Group / User permission.

      2010-03-24 16:11:01,478 ERROR [http-8080-6] [atlassian.confluence.servlet.ConfluenceServletDispatcher] sendError Could not execute action
       -- url: /pages/getpagepermissions.action | userName: clan | referer: http://localhost:8080/display/permission/Clan%27s+restricted+page
      java.lang.NullPointerException
      	at com.atlassian.confluence.user.PermittedUserFinder.checkGroupExplicitlyPermitted(PermittedUserFinder.java:51)
      	at com.atlassian.confluence.user.PermittedUserFinder.makeResult(PermittedUserFinder.java:43)
      	at com.atlassian.confluence.pages.actions.GetPagePermissionsAction.execute(GetPagePermissionsAction.java:84)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:168)
      	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
      	at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:55)
      	at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35)
      

      This can happen when an LDAP group / User was given a permission (eg. view, edit) in Confluence and then was deleted from the LDAP server.

      This problem will cause the specific user who created the permission in the first place to not able adding anymore permission to the space.

      Clicking on padlock or trying to edit Restrictions will result in the stack trace above in the log file.

      No error is visible from the browser.

      Workaround

      If you hit into this bug and not sure which group to remove from the permission list, the attached patch will help you to identify which groups are causing the problem.

      To install:

      1. Unzip the zip file into <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence
        The patch GetPagePermissionsAction.class should reside at <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence\pages\actions. If you don't have \pages\actions directories under <confluence install>\confluence\WEB-INF\classes\com\atlassian\confluence, create them.
      2. Add an extra line in <confluence install>\confluence\WEB-INF\classes\log4j.properties file:
        log4j.logger.com.atlassian.confluence.pages.actions.GetPagePermissionsAction=DEBUG
        
      3. Restart Confluence

      To use the patch:

      1. Visit the problematic page
      2. Click on padlock
      3. Check <confluence data>/logs/atlassian-confluence.log for something like below:
        010-03-25 11:23:13,212 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group1. Fetched result is: null
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: confluence-administrators. Fetched result is: confluence-administrators
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group2. Fetched result is: ldap-group2
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group3. Fetched result is: ldap-group3
        2010-03-25 11:23:13,228 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching group object for group name: ldap-group4. Fetched result is: null
        

      In the above there are two LDAP groups that no longer exist (ldap-group1 and ldap-group4) and the Fetched result is null.

      For each of the identified groups, please remove by visiting Space Admin > Security > Restricted Pages. Click on the padlock icon for the problematic page, this will take you to a page info view where you can remove individual permissions.

      Use the same step above if you want to remove permissions for Null user objects.

      The patch will print similar information like above for user names:

      2010-04-01 11:32:31,250 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: clan. Fetched result is: clan
      2010-04-01 11:32:31,265 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: roy. Fetched result is: roy
      2010-04-01 11:32:31,265 DEBUG [http-8080-1] [confluence.pages.actions.GetPagePermissionsAction] execute Fetching user object for user name: bambang. Fetched result is: null
      

        1. findNullUsersAndGroups.patch
          2 kB
          Roy Hartono [Atlassian]
        2. pages.zip
          4 kB
          Roy Hartono [Atlassian]

              matt@atlassian.com Matt Ryall
              rhartono Roy Hartono [Atlassian]
              Votes:
              45 Vote for this issue
              Watchers:
              40 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 8h
                  8h
                  Remaining:
                  Remaining Estimate - 8h
                  8h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified