log messages of level WARN in SolrServiceImpl.createLocationQueryForAdministrableItems: collection or community admin without any administrable collection or community

[saschaszott]

Bug Description

We see a lot of WARN log messages in dspace.log

org.dspace.discovery.SolrServiceImpl @ We have a collection or community admin with ID: <some-uuid-of-eperson> without any administrable collection or community!

This log statement is generated several times for almost every UI action of an (authenticated) non-administrator user.

It seems that the method createLocationQueryForAdministrableItems is called in the context of SolrServiceResourceRestrictionPlugin without checking if the current logged-in user is at least an administrator of one collection or community.

We propose to add a check if (authorizeService.isCommunityAdmin(context) || authorizeService.isCollectionAdmin(context)) in line

DSpace/dspace-api/src/main/java/org/dspace/discovery/SolrServiceResourceRestrictionPlugin.java

Line 164 in 78010b0

String locations = DSpaceServicesFactory.getInstance()

Before preparing a PR that adds this check we would like to receive your feedback.

[saschaszott]

Unfortunately, the proposed solution does not work since isCommunityAdmin and isCollectionAdmin operate on the Solr layer and not on the database layer (as expected).

By calling these methods new Solr queries are generated that finally call SolrServiceResourceRestrictionPlugin.additionalSearchParameters(). At the end you'll get a StackOverflowError as additionalSearchParameters() is executed in an infinite loop.

Is there a way to check if a given eperson is admin of at least one collection or community without invoking the Solr server?

[mwoodiupui]

For collections it would be a simple relational query if "is an administrator" means "is a member of the default administrators group." But I don't think there is any code to implement that query. It would be somewhat slow until we create an index over collection.admin.

Communities don't have a default administrators group, so we'd have to solve the other problem anyway: "is a member of any group that can perform all administrative operations on this object." So we might as well add that for collections as well. "perform all administrative operations" is probably not very interesting. The interesting bit will be "any group that can perform" since groups can be members of other groups. I haven't explored whether that is expressible in set algebra. If there is no non-iterative representation then a stored procedure may be the fastest and most efficient way to calculate it. [added] Or a WITH RECURSIVE common table expression might be even better.

Is there any clear, complete explanation of what the group2groupcache table represents? The internal documentation says nothing about it.