Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-21110

REST API Allows return carriage and new line in Group ID field


    • Bug Priority:
      Category 2
    • ACT Numbers:


    • Story Points:
    • Prioritization Score:


      Using the REST API it is possible to add a Group with unsupported characters in it's id field. This causes two issues:

      1. ASMS continually fails on ACL tracking with stack traces reported in the logs
      2. Viewing/ modifying the group from Share is no possible

      It is not possible to introduce unsupported characters to Group ID's via Share as there is a validation check on the input.

      It is not possible to reproduce with the bundle Solr 4.

      Steps to reproduce

      1. Install 5.2.6 OOTB
      2. Install Search Service and configure this to track the repository
      3. Create a group with invalid character in it's ID using the REST API
      4. Add permissions to nodes for this group
      5. Index nodes using Search Service
        The following sequence of requests will create a problematic group id "GROUP_site_swsdp_mysitic_group_1\r\n".
        The next step then add this group to the permissions of the OOTB sample site's Budget Files folder:
      # Create Group
      curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '
      "id": "GROUP_site_swsdp_mystic_group_1\r\n",
      "displayName": "site_swsdp_mystic_group_1",
      "parentIds": [
      }' 'https://admin:admin@localhost:8080/alfresco/api/-default-/public/alfresco/versions/1/groups'
      # Set Permission on swsdp Budget Files folder (from OOTB site)
      curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '
      }' 'https://admin:admin@localhost:8080/alfresco/s/slingshot/doclib/permissions/workspace/SpacesStore/8ab12916-4897-47fb-94eb-1ab699822ecb' 

      Expected Behaviour

      The REST API should not allow invalid characters to be set on the Group id (as is the case when creating groups using share.

      Or, the ACL tracker should behave similar to the bundle Solr4.

      Observed Behaviour

      In Share

      if you try and open the properties of the Group (Admin Tools -> Users and Groups -> Groups -> Edit Group), an error is shown:

      Failed to retrieve group details for group 'site_swsdp_mystic_group_1 <br />&nbsp;&nbsp;&nbsp;'.

      You cannot add or remove members to the group, and you cannot access the current member list.

      In Alfresco Search Service:

      ACL may not be indexed correctly.

      The solr log for Search Service will continually log the following stack trace:

      2019-11-21 07:52:45.941 WARN  (SolrTrackingPool-archive-AclTracker-1) [   ] o.a.s.t.AbstractWorkerRunnable Index tracking batch hit an unrecoverable error
      org.json.JSONException: Unterminated string at 17117 [character 48 line 934]
              at org.json.JSONTokener.syntaxError(JSONTokener.java:433)
              at org.json.JSONTokener.nextString(JSONTokener.java:261)
              at org.json.JSONTokener.nextValue(JSONTokener.java:361)
              at org.json.JSONArray.<init>(JSONArray.java:116)
              at org.json.JSONTokener.nextValue(JSONTokener.java:367)
              at org.json.JSONObject.<init>(JSONObject.java:215)
              at org.json.JSONTokener.nextValue(JSONTokener.java:364)
              at org.json.JSONArray.<init>(JSONArray.java:116)
              at org.json.JSONTokener.nextValue(JSONTokener.java:367)
              at org.json.JSONObject.<init>(JSONObject.java:215)
              at org.alfresco.solr.client.SOLRAPIClient.getAclReaders(SOLRAPIClient.java:331)
              at org.alfresco.solr.tracker.AclTracker$AclIndexWorkerRunnable.doWork(AclTracker.java:847)
              at org.alfresco.solr.tracker.AbstractWorkerRunnable.run(AbstractWorkerRunnable.java:45)
              at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
              at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
              at java.base/java.lang.Thread.run(Thread.java:834)




          Issue Links




                • Assignee:
                  sreehall Sandeep Reehall
                  sreehall Sandeep Reehall
                • Votes:
                  0 Vote for this issue
                  5 Start watching this issue


                  • Created:

                    Structure Helper Panel