[CMS-15755] Domains not found for user groups with spaces or starting with numbers - Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: 14.7.18, 15.4.0
Fix Version/s: 13.4.28, 14.7.19, 15.5.1, 15.6.0, 16.0.0
Component/s: None
Labels:
- ps-brxm

Story Points:
1
Flagged:

Flagged
Processed by team:
Orion
Sprint:
Orion.Cycle1.Sprint1, Orion.Cycle1.Sprint2
Effort:
Undetermined

Description

In a project upgrading from 13 to 14, it was found that group based domain matching didn't work anymore if the group contains spaces or starts with a number.

It was pinpointed to a piece of code in org.hippoecm.repository.security.SecurityManager#getDomains ISO9075 encodes the group names and then leads to an xpath query that does not find the domains:

// filter groups
for (String group : groups) {
    xpath.append(" or @").append(HippoNodeType.HIPPO_GROUPS).append(" = '");
    xpath.append(ISO9075.encode(NodeNameCodec.encode(group, true))).append("'");
}

E.g. group name "My Admin" is encoded as "My_x0020_Admin"
E.g. group name ''1234" is encoded as ''_x0031_234"

Note that

the group names cannot be changed because the are managed externally in LDAP.
on 13.4, this worked but is very different because of the security overhaul

This is low level SecurityManager so we should be careful with changes. Best to:

set up a test for this use case
not apply ISO9075.encode in above lines and neither in the other places in #getDomains()
check other occurrences

Attachments

Activity

People

Assignee:: Jeroen Hoffman

Reporter:: Jeroen Hoffman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 22/Jan/24 11:38 AM

Updated:: 08/Feb/24 9:34 AM

Resolved:: 01/Feb/24 12:25 PM