Using Rapid Search to find objects throws permission exception if object type permission has recently changed

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      Using Rapid Search to find objects throws permission exception if object type permission has recently changed, i.e. user who had access to objects earlier that gets recorded in User history and if permission is revoked from object type, then user starts getting 403 instead of skipping those objects. 

      Steps to Reproduce

      1. Step 1: Create Object type with no permissions and associated objects.
      2. Step 2: Use Normal user, access objects from created object type.
      3. Step 3: Admin should add Object Type User permission to some other user.
      4. Step 4: As normal user, access Rapid search to search for objects.

      Expected Results

      User should be able to see permitted objects.

      Actual Results

      User is getting permission error for restricted objects due to entry in object history. The below exception is thrown:

      com.atlassian.assets.tempeh.core.exception.PermissionException: User {0} didn''t have correct permission <...>     at com.atlassian.assets.tempeh.core.permission.PermissionsChecker.checkPermission(PermissionsChecker.kt:403)
    at com.atlassian.assets.tempeh.core.permission.PermissionsChecker.checkObjectViewPermission(PermissionsChecker.kt:119)
    at com.atlassian.assets.tempeh.core.obj.ObjectService.getObjects(ObjectService.kt:1095)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:355)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:768)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:379)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:768)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:720)
    at com.atlassian.assets.tempeh.core.obj.ObjectService$$SpringCGLIB$$1.getObjects(<generated>)
    at com.atlassian.assets.tempeh.core.userhistory.SearchHistoryService.filterOnIds(SearchHistoryService.kt:129)
    at com.atlassian.assets.tempeh.core.userhistory.SearchHistoryService.searchMostRecentObjects(SearchHistoryService.kt:46)
    at com.atlassian.assets.tempeh.api.endpoint.obj.RapidSearchController.searchObjects(RapidSearchController.kt:30)

      Workaround

      Currently there is no known workaround for this behavior apart from changing back the Object Type permission which started this error. 

            Assignee:
            Deepak Sengar
            Reporter:
            Deepak Sengar
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: