Properly handle ACL publication for non-admins

If a non-admin user tries to publish something, Opencast will try to get the ACL for the media package intended for publication. During this process, Opencast tries to evaluate the ACL and write it to the database. Unfortunately, this process silently fails, causing an empty ACL to be written into the database instead. The search service then tries to publish to the search index. This causes several files linked in the media package to be accessed for which the ACL in the database is being evaluated. Since that is now an empty ACL, the access check fails, meaning that the publication fails halfway (event is in the database, but not in the index). This patch allows Opencast to always access the access control list linked in the media package, so that the correct ACL ends up in the database, meaning the correct ACL will be used for the index checks. This fixes the overall problem and allows non-admin users to actually publish events. This fixes opencast#5333 This fixes opencast#6040
lkiesow · Jul 25, 2024 · c510646 · c510646
1 parent 7268341
commit c510646
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/modules/search-service-impl/pom.xml b/modules/search-service-impl/pom.xml
@@ -65,6 +65,10 @@
       <groupId>jakarta.ws.rs</groupId>
       <artifactId>jakarta.ws.rs-api</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.osgi</groupId>
+      <artifactId>osgi.core</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.osgi</groupId>
       <artifactId>org.osgi.service.component</artifactId>

diff --git a/...search-service-impl/src/main/java/org/opencastproject/search/impl/SearchServiceIndex.java b/...search-service-impl/src/main/java/org/opencastproject/search/impl/SearchServiceIndex.java
@@ -21,6 +21,8 @@
 
 package org.opencastproject.search.impl;
 
+import static org.opencastproject.systems.OpencastConstants.DIGEST_USER_PROPERTY;
+
 import org.opencastproject.elasticsearch.index.ElasticsearchIndex;
 import org.opencastproject.elasticsearch.index.rebuild.AbstractIndexProducer;
 import org.opencastproject.elasticsearch.index.rebuild.IndexProducer;
@@ -45,6 +47,7 @@
 import org.opencastproject.security.api.SecurityConstants;
 import org.opencastproject.security.api.SecurityService;
 import org.opencastproject.security.api.UnauthorizedException;
+import org.opencastproject.security.util.SecurityUtil;
 import org.opencastproject.series.api.SeriesException;
 import org.opencastproject.series.api.SeriesService;
 import org.opencastproject.util.NotFoundException;
@@ -131,6 +134,8 @@ public IndexRebuildService.Service getService() {
   /** The organization directory service */
   private OrganizationDirectoryService organizationDirectory = null;
 
+  private String systemUserName = null;
+
   /**
    * Creates a new instance of the search service index.
    */
@@ -146,6 +151,7 @@ public SearchServiceIndex() {
   @Activate
   public void activate(final ComponentContext cc) throws IllegalStateException {
     createIndex();
+    systemUserName = cc.getBundleContext().getProperty(DIGEST_USER_PROPERTY);
   }
 
   private void createIndex() {
@@ -216,7 +222,14 @@ public void addSynchronously(MediaPackage mediaPackage)
     checkMPWritePermission(mediaPackageId);
 
     logger.debug("Attempting to add media package {} to search index", mediaPackageId);
-    var acl = authorizationService.getActiveAcl(mediaPackage).getA();
+    final var acls = new AccessControlList[1];
+    final var org = securityService.getOrganization();
+    final var systemUser = SecurityUtil.createSystemUser(systemUserName, org);
+    // Ensure we always get the actual acl by forcing access
+    SecurityUtil.runAs(securityService, org, systemUser, () -> {
+      acls[0] = authorizationService.getActiveAcl(mediaPackage).getA();
+    });
+    var acl = acls[0] == null ? new AccessControlList() : acls[0];
     var now = new Date();
 
     try {