Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-21833

Inviting external users using a Manager created by InviteService results in DeniedAccess Exception

    Details

      Description

      Steps to reproduce

      (Emails are fake accounts, just to explain the use case)

      1 - Invite a external user 'coordinador@alfresco.com' to site swsdp as Manager using Alfresco Share web interface
      2 - Follow email link to login Alfresco as user 'coordinador@alfresco.com'
      3 - Once logged as 'coordinador@alfresco.com', invite external user 'collaborator@alfresco.com' to site swsdp as Collaborator using Alfresco Share web interface
      4 - When user 'collaborator@alfresco.com' tries to follow email link to login Alfresco following error is logged in catalina.out

      Unable to find source-code formatter for language: bash. Available languages are: actionscript, html, java, javascript, none, sql, xhtml, xml
      Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 00170005 Access Denied.  You do not have the appropriate permissions to perform this operation.
      	at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:79)
      	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:457)
      	at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:69)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      	at com.sun.proxy.$Proxy20.removeAspect(Unknown Source)
      	at org.alfresco.repo.invitation.InvitationServiceImpl.accept(InvitationServiceImpl.java:451)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:497)
      	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
      	at org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor.invoke(AlwaysProceedMethodInterceptor.java:34)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
      	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
      	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      	at com.sun.proxy.$Proxy128.accept(Unknown Source)
      	at org.alfresco.repo.web.scripts.invite.InviteResponse.execute(InviteResponse.java:135)
      	at org.alfresco.repo.web.scripts.invite.InviteResponse.access$000(InviteResponse.java:45)
      	at org.alfresco.repo.web.scripts.invite.InviteResponse$1.doWork(InviteResponse.java:105)
      	at org.alfresco.repo.web.scripts.invite.InviteResponse$1.doWork(InviteResponse.java:94)
      	at org.alfresco.repo.tenant.TenantUtil.runAsWork(TenantUtil.java:119)
      	at org.alfresco.repo.tenant.TenantUtil.runAsTenant(TenantUtil.java:88)
      	at org.alfresco.repo.tenant.TenantUtil$1.doWork(TenantUtil.java:62)
      	at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
      	at org.alfresco.repo.tenant.TenantUtil.runAsUserTenant(TenantUtil.java:58)
      	at org.alfresco.repo.tenant.TenantUtil.runAsSystemTenant(TenantUtil.java:112)
      	at org.alfresco.repo.web.scripts.invite.InviteResponse.executeImpl(InviteResponse.java:93)
      	at org.springframework.extensions.webscripts.DeclarativeWebScript.executeImpl(DeclarativeWebScript.java:235)
      	at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:64)
      	... 33 more
      Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
      	at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
      	at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
      	at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
      	... 75 more
      

      On the other hand, browser starts to refresh a never ending loop trying to show the error.

        Attachments

          Issue Links

            Activity

            Hide
            angel.borroy Angel Borroy added a comment -

            Simple patch available at: https://github.com/keensoft/alf-21833-repo

            Show
            angel.borroy Angel Borroy added a comment - Simple patch available at: https://github.com/keensoft/alf-21833-repo
            Hide
            resplin Richard Esplin added a comment -

            Thank you Angel Borroy for researching this issue.

            We are a bit confused by your report which makes it hard to reproduce the issue.

            Out of the box, the Share interface doesn't have a "Coordinator" site role. The Permission Service does have a scheme called "Coordinator", but it is not exposed by Share.

            How are you inviting the user to the site?

            Show
            resplin Richard Esplin added a comment - Thank you Angel Borroy for researching this issue. We are a bit confused by your report which makes it hard to reproduce the issue. Out of the box, the Share interface doesn't have a "Coordinator" site role. The Permission Service does have a scheme called "Coordinator", but it is not exposed by Share. How are you inviting the user to the site?
            Hide
            angel.borroy Angel Borroy added a comment -

            Sorry, I was using Spanish web interface, where "Manager" is translated as "Coordinator".

            Step 1 includes an external invitation for a user to be site "Manager"

            Following steps are performed by this site "Manager", using again external invitation system.

            Show
            angel.borroy Angel Borroy added a comment - Sorry, I was using Spanish web interface, where "Manager" is translated as "Coordinator". Step 1 includes an external invitation for a user to be site "Manager" Following steps are performed by this site "Manager", using again external invitation system.
            Hide
            resplin Richard Esplin added a comment -

            Thank you Angel Borroy. We believe that we have enough information to try and reproduce this issue, so we will assign it to a team to be prioritized against other work.

            Show
            resplin Richard Esplin added a comment - Thank you Angel Borroy . We believe that we have enough information to try and reproduce this issue, so we will assign it to a team to be prioritized against other work.
            Hide
            angel.borroy Angel Borroy added a comment -

            As this issue is resolved as duplicated from Enterprise issue, in which Community version will be the patch incorporated?

            Show
            angel.borroy Angel Borroy added a comment - As this issue is resolved as duplicated from Enterprise issue, in which Community version will be the patch incorporated?
            Hide
            amorarasu Ancuta Morarasu added a comment -

            Angel Borroy The fix will be included in the next Community Release - 5.2.g.

            Show
            amorarasu Ancuta Morarasu added a comment - Angel Borroy The fix will be included in the next Community Release - 5.2.g.

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                angel.borroy Angel Borroy
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: