Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-22391

eZFind: Incorrect policy limitation when no 'content/read' access exists

    Details

      Description

      If a user has no content/read access at all, the created SOLR search filters will cause incorrect results to be returned (IE: all content)

      In this case, ezpublish's default search does check all the nodes again so it does not display them, but the result count, facets, pagination are all incorrect.
      If using a custom function, however (for example, through symfony), this "post-filtering" may not occur and invalid results could end up being displayed - eZFInd/SOLR should not return invalid results in the first place.

      Steps to reproduce:
      1. remove all content/read permissions from a user role (for example, anonymous)
      2. As anonymous, perform a search
        1. Note that the default content/search relies on the 'content/read' permission, so a custom module/bundle should be used.
      Result:
      1. On the standard ezpublish view, no results are displayed but it is clearly visible (see attached screenshot) that:
        1. The number of results is incorrect (should be none, not ALL content)
        2. The filters/facets are displayed
        3. The pagination is created
      Other Notes:

      $searchResult = eZSearch::search(
          $http->variable( 'SearchText' , '' ),
          array(
              "SearchLimit"         => 10,
          )
      );
      

        Activity

        Hide
        Joao Inacio (Inactive) added a comment -
        Show
        Joao Inacio (Inactive) added a comment - Suggested PR: https://github.com/ezsystems/ezfind/pull/153
        Show
        Yannick Roger (Inactive) added a comment - Fixed in master: https://github.com/joaoinacio/ezfind/commit/2e0708b0d9cf92a50469d1f30e44cc0a921600d6 https://github.com/joaoinacio/ezfind/commit/df6396db10fba52f2f0385613457fef3bde92cc2
        Hide
        Marcos Loureiro (Inactive) added a comment -

        QA Approved

        Show
        Marcos Loureiro (Inactive) added a comment - QA Approved

          People

          • Assignee:
            Unassigned
            Reporter:
            Joao Inacio (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 6 hours, 30 minutes
              6h 30m