Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-1419

Full text search displays results which should not be visible

    XMLWordPrintable

    Details

      Description

      The search result list is checked against BARG and members only settings. It also contains results from resources which are protected with an access code. If someone protects his contents with a password, no one should see any content if he has not that password. In the worst case the content contains that password

      This patch fixes that:

      diff -r 36ef131ee9ab src/main/java/org/olat/repository/RepositoryManager.java
      --- a/src/main/java/org/olat/repository/RepositoryManager.java	Tue Feb 03 10:41:18 2015 +0100
      +++ b/src/main/java/org/olat/repository/RepositoryManager.java	Tue Feb 03 14:59:40 2015 +0100
      @@ -83,8 +83,12 @@
       import org.olat.repository.model.SearchRepositoryEntryParameters;
       import org.olat.resource.OLATResource;
       import org.olat.resource.OLATResourceManager;
      +import org.olat.resource.accesscontrol.ACService;
      +import org.olat.resource.accesscontrol.AccessResult;
       import org.olat.resource.accesscontrol.manager.ACReservationDAO;
      +import org.olat.resource.accesscontrol.model.OfferAccess;
       import org.olat.resource.accesscontrol.model.ResourceReservation;
      +import org.olat.resource.accesscontrol.provider.free.FreeAccessHandler;
       import org.olat.search.service.document.RepositoryEntryDocument;
       import org.olat.search.service.indexer.LifeFullIndexer;
       import org.olat.user.UserImpl;
      @@ -515,7 +519,16 @@
       		}
       		// else allow if access granted for users
       		if(re.getAccess() >= RepositoryEntry.ACC_USERS) {
      -			return true;
      +			boolean hasAccess = false;
      +			ACService acService = CoreSpringFactory.getImpl(ACService.class);
      +			AccessResult acResult = acService.isAccessible(re, identity, false); 
      +			if (acResult.isAccessible()) hasAccess = true;
      +			else if (!acResult.getAvailableMethods().isEmpty()) {
      +				for(OfferAccess offer:acResult.getAvailableMethods()) {
      +					if (offer.getMethod().getType().equals(FreeAccessHandler.METHOD_TYPE)) hasAccess = true;
      +				}
      +			}
      +			return hasAccess;
       		} else if (re.getAccess() == RepositoryEntry.ACC_OWNERS && re.isMembersOnly()) {
       			return repositoryEntryRelationDao.isMember(identity, re);
       		}
      

        Attachments

          Activity

            People

            Assignee:
            srosse Stéphane Rossé
            Reporter:
            stephan Stephan Clemenz
            Tester:
            Stephan Clemenz
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 30 minutes
                1h 30m