Deny cuba.gui.filter.maxResults will lead to load all entites in browse screen when FTS enabled

mario · January 30, 2017, 3:54pm

Hi,

i’ve encountered a weird situation that relates to the permission of cuba.gui.filter.maxResults and the corresponding paging feature in an browse screen. It only happens if the fts module is used in the build.gradle and the Application propertty fts.enabled = true is configured. It does not to be active in the browse screen i describe later, it just has to be activated.

Here’s the example:
I’ve a app with an entity Customer (with property “name”). Additionally i created the following security roles:

“Deny” (Type: Deny, permissions:CRUD on customer)
“Allow” (Type: Standard, permissions:CRUD on customer, allow for “Specific > Unlimited number of rows”)

Then i created corresponding users:

“deny” (password: “deny”, roles: [Deny])
“allow” (password: “allow”, roles: [Deny, Allow])

There are two independent problems i see.

First: Naming of the permission “Specific > Unlimited number of rows”:

(This one is even weird if fts is not configured, so it also happens with the dependency is not used)

I would expect to see the following:
When i login as “deny” i can go to the browse screen of the customer. I can select the amount elements per page i want to see and switch between 20-1000. But i can’t select “unlimited” because i’m not allowed to do so.

In reality i see the following:
When i login as “deny” i can go to the browse screen of the customer. I can’t select the amount elements per page i want to see and switch between 20-1000. 50 Elements per page is defined hard and i can’t change it.

I would assume by the translation of the security permission which is called “Unlimited number of rows”, that i would only add the permission to see all elements, but not if i deny this role that i’m not allowed to switch the page size entirely.

Second: Deny User is allowed to see all elements by hitting search:

I would expect to see the following:
When i login as “deny” i can go to the browse screen of the customer. When i don’t change anything in the filter and hit “search” i will get the first 50 elements because of the configured page size.

In reality i see the following:
When i login as “deny” i can go to the browse screen of the customer. When i don’t change anything in the filter and hit “search” i will get all elements.

This effectively means that i am allowed to see unlimited elements (which is the opposite i just configured via the Deny role).
When i do that with the allow user, i will get only the first 50 results (as expected).

The problematic is probably FilterDelegate.isMaxResultsLayoutVisible().

Attached you’ll find the example project as well as a screencast showing the problem in the application.

Bye
Mario

cuba-problem-paging-security-max-results.zip (83.8K)

security-paging-fts-error.gif (1.0M)

mario · January 30, 2017, 5:30pm

I just saw that the screencast.gif dropped the outer right corner of the screen so you are not able to see the important part of it sorry…

Bye
Mario

gorbunkov · February 1, 2017, 5:43am

Hi Mario,

The name “Unlimited number of rows” comes from the past when the number of items in the browser was defined in the simple text field, not in the dropdown list. This specific permission allowed user to enter no value in the text field and thus get all records from the database.

You are absolutely right that now the permission name is weird and it works weird. We’ll fix it. Thanks for reporting!

mario · February 1, 2017, 7:18am

Hi Max,

thanks for taking the time to look at it. Besides your description of that name and the action that it takes is kind of strange (as you mentioned for historical reasons), the second part of the problem is much more problematic and the actual problem.

As i wrote, this only happens if FTS is enabled, but if it is, it happens both in the fts mode and the generic filter mode of the browse screen. I’m not even sure if this is directly related to the permission, because for the “allow” user it works because of the fact that the user can see the dropdown, which means that by default 50 elements are configured which will then, when the search button is pressed get picked up to do the paging…

I just wanted to mention it once again, because from your answer i’m not 100% sure you saw that and took it as the real problem.

Bye
Mario

system · February 1, 2017, 7:18am

See the following issue in our bug tracker:

https://youtrack.cuba-platform.com/issue/PL-8566