Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 31E7A200C5E for ; Sat, 8 Apr 2017 07:07:30 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 306D2160BA2; Sat, 8 Apr 2017 05:07:30 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7922F160B97 for ; Sat, 8 Apr 2017 07:07:29 +0200 (CEST) Received: (qmail 54534 invoked by uid 500); 8 Apr 2017 05:07:28 -0000 Mailing-List: contact commits-help@manifoldcf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@manifoldcf.apache.org Delivered-To: mailing list commits@manifoldcf.apache.org Received: (qmail 54525 invoked by uid 99); 8 Apr 2017 05:07:28 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Apr 2017 05:07:28 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 7D9A33A1844 for ; Sat, 8 Apr 2017 05:07:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1790654 - in /manifoldcf/trunk: CHANGES.txt connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java Date: Sat, 08 Apr 2017 05:07:26 -0000 To: commits@manifoldcf.apache.org From: kwright@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170408050727.7D9A33A1844@svn01-us-west.apache.org> archived-at: Sat, 08 Apr 2017 05:07:30 -0000 Author: kwright Date: Sat Apr 8 05:07:26 2017 New Revision: 1790654 URL: http://svn.apache.org/viewvc?rev=1790654&view=rev Log: Tentative fix for CONNECTORS-1401. Modified: manifoldcf/trunk/CHANGES.txt manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java Modified: manifoldcf/trunk/CHANGES.txt URL: http://svn.apache.org/viewvc/manifoldcf/trunk/CHANGES.txt?rev=1790654&r1=1790653&r2=1790654&view=diff ============================================================================== --- manifoldcf/trunk/CHANGES.txt (original) +++ manifoldcf/trunk/CHANGES.txt Sat Apr 8 05:07:26 2017 @@ -3,6 +3,9 @@ $Id$ ======================= 2.7-dev ===================== +CONNECTORS-1401: Fix Documentum Authority query to exclude +access tokens that have matching negative groups or users. + CONNECTORS_1399: Remove all dependencies on json.jar, as per Apache Legal advice. (Karl Wright) Modified: manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java URL: http://svn.apache.org/viewvc/manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java?rev=1790654&r1=1790653&r2=1790654&view=diff ============================================================================== --- manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java (original) +++ manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java Sat Apr 8 05:07:26 2017 @@ -744,14 +744,18 @@ public class AuthorityConnector extends // U.user_state=0)"; String strDQL = "SELECT DISTINCT A.owner_name, A.object_name FROM dm_acl A " + " WHERE "; if (!useSystemAcls) + { strDQL += "A.object_name NOT LIKE 'dm_%' AND ("; - strDQL += "(any (A.r_accessor_name IN ('" + strAccessToken + "', 'dm_world') AND r_accessor_permit>2) " - + " OR (any (A.r_accessor_name='dm_owner' AND A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken) + ")" - + " OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM dm_group G WHERE ANY G.i_all_users_names = " + quoteDQLString(strAccessToken) + ")" - + " AND r_accessor_permit>2))" - + ")"; - if (!useSystemAcls) + } + + // Include ACLs with positive groups and users + strDQL += "(any (A.r_accessor_name IN (" + quoteDQLString(strAccessToken) + ", 'dm_world') AND r_accessor_permit>2) OR (any (A.r_accessor_name='dm_owner' AND A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken) + ") OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM dm_group G WHERE ANY G.i_all_users_names = " + quoteDQLString(strAccessToken) + ") AND r_accessor_permit>2))) "; + // Exclude ACLs with negative groups and users + strDQL += "AND NOT (any (A.r_accessor_name IN (" + quoteDQLString(strAccessToken) + ", 'dm_world') AND r_accessor_permit<=2) OR (any (A.r_accessor_name='dm_owner' AND A.r_accessor_permit<=2) AND A.owner_name=" + quoteDQLString(strAccessToken) + ") OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM dm_group G WHERE ANY G.i_all_users_names = " + quoteDQLString(strAccessToken) + ") AND r_accessor_permit<=2)))"; + + if (!useSystemAcls) { strDQL += ")"; + } if (Logging.authorityConnectors.isDebugEnabled()) Logging.authorityConnectors.debug("DCTM: About to execute query= (" + strDQL + ")");