You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
log messages of level WARN in SolrServiceImpl.createLocationQueryForAdministrableItems: collection or community admin without any administrable collection or community
#9471
Open
saschaszott opened this issue
Apr 12, 2024
· 2 comments
org.dspace.discovery.SolrServiceImpl @ We have a collection or community admin with ID: <some-uuid-of-eperson> without any administrable collection or community!
This log statement is generated several times for almost every UI action of an (authenticated) non-administrator user.
It seems that the method createLocationQueryForAdministrableItems is called in the context of SolrServiceResourceRestrictionPluginwithout checking if the current logged-in user is at least an administrator of one collection or community.
We propose to add a check if (authorizeService.isCommunityAdmin(context) || authorizeService.isCollectionAdmin(context)) in line
Unfortunately, the proposed solution does not work since isCommunityAdmin and isCollectionAdmin operate on the Solr layer and not on the database layer (as expected).
By calling these methods new Solr queries are generated that finally call SolrServiceResourceRestrictionPlugin.additionalSearchParameters(). At the end you'll get a StackOverflowError as additionalSearchParameters() is executed in an infinite loop.
Is there a way to check if a given eperson is admin of at least one collection or community without invoking the Solr server?
For collections it would be a simple relational query if "is an administrator" means "is a member of the default administrators group." But I don't think there is any code to implement that query. It would be somewhat slow until we create an index over collection.admin.
Communities don't have a default administrators group, so we'd have to solve the other problem anyway: "is a member of any group that can perform all administrative operations on this object." So we might as well add that for collections as well. "perform all administrative operations" is probably not very interesting. The interesting bit will be "any group that can perform" since groups can be members of other groups. I haven't explored whether that is expressible in set algebra. If there is no non-iterative representation then a stored procedure may be the fastest and most efficient way to calculate it. [added] Or a WITH RECURSIVE common table expression might be even better.
Is there any clear, complete explanation of what the group2groupcache table represents? The internal documentation says nothing about it.
Bug Description
We see a lot of WARN log messages in
dspace.log
This log statement is generated several times for almost every UI action of an (authenticated) non-administrator user.
It seems that the method
createLocationQueryForAdministrableItems
is called in the context ofSolrServiceResourceRestrictionPlugin
without checking if the current logged-in user is at least an administrator of one collection or community.We propose to add a check
if (authorizeService.isCommunityAdmin(context) || authorizeService.isCollectionAdmin(context))
in lineDSpace/dspace-api/src/main/java/org/dspace/discovery/SolrServiceResourceRestrictionPlugin.java
Line 164 in 78010b0
Before preparing a PR that adds this check we would like to receive your feedback.
The text was updated successfully, but these errors were encountered: