Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-1419

Full text search displays results which should not be visible

    XMLWordPrintable

    Details

      Description

      The search result list is checked against BARG and members only settings. It also contains results from resources which are protected with an access code. If someone protects his contents with a password, no one should see any content if he has not that password. In the worst case the content contains that password

      This patch fixes that:

      diff -r 36ef131ee9ab src/main/java/org/olat/repository/RepositoryManager.java
      --- a/src/main/java/org/olat/repository/RepositoryManager.java	Tue Feb 03 10:41:18 2015 +0100
      +++ b/src/main/java/org/olat/repository/RepositoryManager.java	Tue Feb 03 14:59:40 2015 +0100
      @@ -83,8 +83,12 @@
       import org.olat.repository.model.SearchRepositoryEntryParameters;
       import org.olat.resource.OLATResource;
       import org.olat.resource.OLATResourceManager;
      +import org.olat.resource.accesscontrol.ACService;
      +import org.olat.resource.accesscontrol.AccessResult;
       import org.olat.resource.accesscontrol.manager.ACReservationDAO;
      +import org.olat.resource.accesscontrol.model.OfferAccess;
       import org.olat.resource.accesscontrol.model.ResourceReservation;
      +import org.olat.resource.accesscontrol.provider.free.FreeAccessHandler;
       import org.olat.search.service.document.RepositoryEntryDocument;
       import org.olat.search.service.indexer.LifeFullIndexer;
       import org.olat.user.UserImpl;
      @@ -515,7 +519,16 @@
       		}
       		// else allow if access granted for users
       		if(re.getAccess() >= RepositoryEntry.ACC_USERS) {
      -			return true;
      +			boolean hasAccess = false;
      +			ACService acService = CoreSpringFactory.getImpl(ACService.class);
      +			AccessResult acResult = acService.isAccessible(re, identity, false); 
      +			if (acResult.isAccessible()) hasAccess = true;
      +			else if (!acResult.getAvailableMethods().isEmpty()) {
      +				for(OfferAccess offer:acResult.getAvailableMethods()) {
      +					if (offer.getMethod().getType().equals(FreeAccessHandler.METHOD_TYPE)) hasAccess = true;
      +				}
      +			}
      +			return hasAccess;
       		} else if (re.getAccess() == RepositoryEntry.ACC_OWNERS && re.isMembersOnly()) {
       			return repositoryEntryRelationDao.isMember(identity, re);
       		}
      

        Figma for Jira By 42nd

          Attachments

            Activity

              People

              Assignee:
              srosse Stéphane Rossé
              Reporter:
              stephan Stephan Clemenz
              Tester:
              Stephan Clemenz
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 30 minutes
                  1h 30m