Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-17049

User with explicitly granted contributor permission can quick share a document but cannot unshare the same document link

    Details

    • Type: Service Pack Request
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 5.0.2.1, 5.0.4, 5.1.1
    • Fix Version/s: 5.1.N, 5.2.N
    • Component/s: Share Application
    • Labels:
      None
    • Environment:
      Alfresco One 5.0.2.1
    • Bug Priority:
      Category 3
    • ACT Numbers:

      00740179

      Description

      Description
      User with explicitly granted contributor permission can quick share a document but cannot unshare the same document link

      Steps to reproduce

      1. Login to Alfresco Share as Administrator and via Admin Tools create a new user called "contributor"
      2. Create a folder in Company Home called "restricted"
      3. Do Manage Permission on folder "restricted", update the permission on the "restricted" folder so that it does not inherit permissions and only members of the Administrators group have access to the folder.
      4. Upload a document into this folder named "shareable.pdf"
      5. Update the permissions on "shareable.pdf" so that the user contributor user I created previously is explicitly granted contributor access to that document itself.
      6. Logout administrator and log in as the new contributor user.
      7. Search for "shareable.pdf" and click on found search result and navigate to it´s Document Details page
      8. Share the document. A shared link is published.
      9. Attempt to unshare the document.

      Expected
      Shared document is unshared properly. If "Share" action is allowed for user with explicitly granted permission without access to parent folder, "Unshare" action should be allowed as well.

      Actual behaviour
      Unsharing the document fails with UI message "Document could not be unshared" (see attached 1b)CompanyHome-CannotUnshareALink.png). The logs contain an access denied error:

      2016-11-04 09:42:17,391  ERROR [extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-13] Exception from executeScript - redirecting to status template error: 10040008 Wrapped Exception (with status template): 10040017 Access Denied.  You do not have the appropriate permissions to perform this operation.
       org.springframework.extensions.webscripts.WebScriptException: 10040008 Wrapped Exception (with status template): 10040017 Access Denied.  You do not have the appropriate permissions to perform this operation.
      	at org.springframework.extensions.webscripts.AbstractWebScript.createStatusException(AbstractWebScript.java:1138)
      	at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:171)
      	at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:519)
      	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
      	at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587)
      	at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656)
      	at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:428)
      	at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308)
      	at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:382)
      ...
      Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 10040017 Access Denied.  You do not have the appropriate permissions to perform this operation.
      	at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:57)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:86)
      	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
      	at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:76)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.enterprise.repo.authorization.AuthorizationStatusInterceptor.invoke(AuthorizationStatusInterceptor.java:130)
      ...
      Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
      	at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
      	at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
      	at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)
      	... 50 more
      

      Supporting evidence

      • Issue reproduced with Alfresco One 5.0.2.1, 5.0.4, and 5.1.1
      • Issue occurs regardless if it is a folder under Company Home or a folder under a site document library
      • Find video recordings demonstrating the issue here: ftp://ftp.alfresco.com/support/MNT-17049

      Workaround
      Make sure the contributor user has at least read access to all of the parent folders that contain the shared document.

        Attachments

          Structure

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sliaw Seng Liaw
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Structure Helper Panel