Row Level Access Help

I am attempting to test the row level access and have created a join of 2 simple tables (see below for schema)

<jdbcQuery id="JoinTree_1" datasourceId="SQL_Server_2012">      
    <field id="PageDetail.PageDescription" type="java.lang.String" />        
    <field id="PageDetail.PageIndex" type="java.lang.Integer" />        
    <field id="PageDetail.PageName" type="java.lang.String" />        
    <field id="PageDetail.PageRepeat" type="java.lang.Integer" />        
    <field id="PageDetail.PageTitle" type="java.lang.String" />               
    <field id="PageDetail.SiteId" type="java.lang.String" />        
    <field id="PageDetail.SiteTitle" type="java.lang.String" />                 
    <field id="StudyAdmin_UserRoleSite.SiteId" type="java.lang.String" />        
    <field id="StudyAdmin_UserRoleSite.UserGroupId" type="java.lang.String" />        
    <field id="StudyAdmin_UserRoleSite.Username" type="java.lang.String" />      
<joinInfo alias="PageDetail" referenceId="PageDetail" />

I have added a security file to the domain with the following content

<securityDefinition xmlns="" version="1.0" itemGroupDefaultAccess="granted">   
  <resourceAccessGrants>    <!-- Begin row-level security -->    
    <resourceAccessGrantList id="JoinTree_1_access_grant" label="AccessJoinTree1" resourceId="JoinTree_1">      
        <resourceAccessGrant id="JoinTree_1_ROLE_USER_row_grant">          
            authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_USER'] } 
            StudyAdmin_UserRoleSite.Username in ('user001')          

When accessing a view based on this domain with a user role of ROLE_USER, I expected to only see results where the username was 'user001'. However, what I see is every row.

Can any see anything obviously wrong with my security file?

richard.cutts's picture
Joined: Dec 10 2013 - 1:28am
Last seen: 4 years 11 months ago

That's some really great formatting right there.

richard.cutts - 9 years 4 months ago

looks good to me.  I'd expect you'd see the "where StudyAdmin_UserRoleSite.Username in ('user001')" clause in your sql when ROLE_USER. But ROLE_USER is inherited by everyone, so theoretically everyone would be impacted by this. For grins & giggles, I'd try a different role, and I'd also restart your webapp (clearing the temp dir which contains ACL(user/role/permissions) cache values)

ghudson_1 - 9 years 4 months ago
When clicking the 'View SQL Query' button in the adhoc view there's no WHERE clause present. Tried other user roles. I've rebooted the server. I've created a new, similar domain from scratch and a new adhoc view based on that. Still can't get anything filtered out.
richard.cutts - 9 years 4 months ago
show 1 more...

The supermart security file is behaving as I would expect and seems to be setup in the same way so all I can conclude at this point is that my domain design is squiffy in some respect. I'll update if I figure anything out.

richard.cutts - 9 years 4 months ago

1 Answer:

The problem with the above security file seems to be with the principal expression element.

When I re-write the xml so that the opening tag and the content of the principal expression are on the same line, the filter works.

<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] }          

When split across lines, it doesn't seem to work.

  authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] }          

richard.cutts's picture
Joined: Dec 10 2013 - 1:28am
Last seen: 4 years 11 months ago

Raised issue #3355

richard.cutts - 9 years 4 months ago