svn commit: r1790654 - in /manifoldcf/trunk: CHANGES.txt connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java

[kw...@apache.org]

Author: kwright
Date: Sat Apr  8 05:07:26 2017
New Revision: 1790654

URL: http://svn.apache.org/viewvc?rev=1790654&view=rev
Log:
Tentative fix for CONNECTORS-1401.

Modified:
    manifoldcf/trunk/CHANGES.txt
    manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java

Modified: manifoldcf/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/manifoldcf/trunk/CHANGES.txt?rev=1790654&r1=1790653&r2=1790654&view=diff
==============================================================================
--- manifoldcf/trunk/CHANGES.txt (original)
+++ manifoldcf/trunk/CHANGES.txt Sat Apr  8 05:07:26 2017
@@ -3,6 +3,9 @@ $Id$
 
 ======================= 2.7-dev =====================
 
+CONNECTORS-1401: Fix Documentum Authority query to exclude
+access tokens that have matching negative groups or users.
+
 CONNECTORS_1399: Remove all dependencies on json.jar, as per
 Apache Legal advice.
 (Karl Wright)

Modified: manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java
URL: http://svn.apache.org/viewvc/manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java?rev=1790654&r1=1790653&r2=1790654&view=diff
==============================================================================
--- manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java (original)
+++ manifoldcf/trunk/connectors/documentum/connector/src/main/java/org/apache/manifoldcf/authorities/authorities/DCTM/AuthorityConnector.java Sat Apr  8 05:07:26 2017
@@ -744,14 +744,18 @@ public class AuthorityConnector extends
       // U.user_state=0)";
       String strDQL = "SELECT DISTINCT A.owner_name, A.object_name FROM dm_acl A " + " WHERE ";
       if (!useSystemAcls)
+      {
         strDQL += "A.object_name NOT LIKE 'dm_%' AND (";
-      strDQL += "(any (A.r_accessor_name IN ('" + strAccessToken + "', 'dm_world') AND r_accessor_permit>2) "
-      + " OR (any (A.r_accessor_name='dm_owner' AND A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken) + ")"
-      + " OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM dm_group G WHERE ANY G.i_all_users_names = " + quoteDQLString(strAccessToken) + ")"
-      + " AND r_accessor_permit>2))"
-      + ")";
-      if (!useSystemAcls)
+      }
+      
+      // Include ACLs with positive groups and users
+      strDQL += "(any (A.r_accessor_name IN (" + quoteDQLString(strAccessToken) + ", 'dm_world') AND r_accessor_permit>2) OR (any (A.r_accessor_name='dm_owner' AND A.r_accessor_permit>2) AND A.owner_name=" + quoteDQLString(strAccessToken) + ") OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM dm_group G WHERE ANY G.i_all_users_names = " + quoteDQLString(strAccessToken) + ") AND r_accessor_permit>2))) ";
+      // Exclude ACLs with negative groups and users
+      strDQL += "AND NOT (any (A.r_accessor_name IN (" + quoteDQLString(strAccessToken) + ", 'dm_world') AND r_accessor_permit<=2) OR (any (A.r_accessor_name='dm_owner' AND A.r_accessor_permit<=2) AND A.owner_name=" + quoteDQLString(strAccessToken) + ") OR (ANY (A.r_accessor_name in (SELECT G.group_name FROM dm_group G WHERE ANY G.i_all_users_names = " + quoteDQLString(strAccessToken) + ") AND r_accessor_permit<=2)))";
+      
+      if (!useSystemAcls) {
         strDQL += ")";
+      }
 
       if (Logging.authorityConnectors.isDebugEnabled())
         Logging.authorityConnectors.debug("DCTM: About to execute query= (" + strDQL + ")");