Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-20645

Delete node association API fails with access denied even though the users have delete access to the source node.

    Details

    • Type: Service Pack Request
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 5.2.4, 6.1
    • Fix Version/s: 5.2.N
    • Component/s: ACS REST API
    • Labels:
    • Bug Priority:
      Category 2
    • ACT Numbers:

      00989783

    • Story Points:
      8

      Description

      Problem Description:

      The Delete node association(s) API

      (DELETE /nodes/{nodeId}/targets/{targetId}) 

      , which shows on the API explore *https://api-explorer.alfresco.com/api-explorer/#/nodes* requires either Admin or Site Manager role. We get the error “Access Denied. You do not have the appropriate permissions to perform this operation.”, when we try to delete it by all the other roles.
      We supposed to be able to delete a peer association when the user has the delete access to the source node.

      Steps to reproduce

      1. Create a user with the collaborator role. *Note: You can set the other roles except for the site-manager role or admin.

      2. Create and deploy a model with a folder type, which has a peer association like follows,

      <types>
              <type name="case:assoc">
                  <parent>cm:folder</parent>
                 — —
                 <associations>
                      <association name="case:relatesTo">
                          <title>Test relation</title>
                          <description>Association </description>
                          <source>
                              <mandatory>false</mandatory>
                              <many>true</many>
                          </source>
                          <target>
                              <class&gt;case:test</class&gt;
                              <mandatory>false</mandatory>
                              <many>true</many>
                          </target>
                      </association>
      

      3. Create two folders for both the source and target in the document library, and change the folder type to the one created at step 2.

      4. Make sure the user created at step 2 has the collaborator privileges on the folders you created at step 3.

      5. Create an association on a target node by running the API with the user created at step 1.
      For example:

      Method: POST
      URL:
      http://localhost:8080/alfresco/api/-default-/public/alfresco/versions/1/nodes/1d24a1b2-e023-46ab-9a7c-4f854bfbd9d8/targets
      Body:
      [
        {
           "targetId": "68fc9b25-77ac-4876-b24b-4263999475d4",
           "assocType": "case:relatesTo"
        }
      ]
      

      6. Delete an association on a target node by running the API with the user created at step 1.
      For example:

      Method: DELETE
      URL:
      http://localhost:8080/alfresco/api/-default-/public/alfresco/versions/1/nodes/1d24a1b2-e023-46ab-9a7c-4f854bfbd9d8/targets/68fc9b25-77ac-4876-b24b-4263999475d4
      

      Observed Behaviour
      The delete request fails with the following response. Please refer the attached screenshot for further assistance.

      {
        "error": {
          "errorKey": "framework.exception.ApiDefault",
          "statusCode": 403,
          "briefSummary": "04170022 Access Denied.  You do not have the appropriate permissions to perform this operation.",
          "stackTrace": "For security reasons the stack trace is no longer displayed, but the property is kept for previous versions",
          "descriptionURL": "https://api-explorer.alfresco.com"
        }
      }
      

      Expected Behaviour
      The delete request should be succeeded by the user who has the delete privileges of the folders. We supposed to be able to delete a peer association when the user has the delete access to the source node.

      Additional Information

      public-services-security-context.xml shows as follows, which seems there are privileges to the removeAssociation

          <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
              <property name="authenticationManager"><ref bean="authenticationManager"/></property>
              <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
              <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
              <property name="objectDefinitionSource">
                  <value>
      —
                     org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_ALLOW
                     org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_ALLOW
      

      I tried to replace the above with this, but I got the same result.

                      org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.ReadProperties
      

        Attachments

          Structure

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                kkono Kazuyuki Kono
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Structure Helper Panel