Details
Major Description
When querying for suggestions, the LucenePropertyIndex performs the ACL checks for the suggested terms incorrectly if the oak:index definition is not located under the root.
In my example, I have an oak:index definition under /content/wcgcom/demo/example/oak:index/lucene-suggest looking like this:
<lucene-suggest
jcr:primaryType="oak:QueryIndexDefinition"
async="async"
compatVersion="{Long}2"
reindex="{Boolean}false"
reindexCount="{Long}5"
type="lucene">
<indexRules jcr:primaryType="nt:unstructured">
<nt:base jcr:primaryType="nt:unstructured">
<properties jcr:primaryType="nt:unstructured">
<props
jcr:primaryType="nt:unstructured"
analyzed="{Boolean}true"
isRegexp="{Boolean}true"
name="jcr:(title|description)|title|subtitle|boldTitle"
propertyIndex="{Boolean}true"
useInSuggest="{Boolean}true"/>
</properties>
</nt:base>
</indexRules>
<suggestion
jcr:primaryType="nt:unstructured"
suggestAnalyzed="{Boolean}true"
suggestUpdateFrequencyMinutes="{Long}20"/>
</lucene-suggest>
And most relevant content under this path: /content/wcgcom/demo/example/home
When inspecting the ACL checks happening in the suggestion part of LucenePropertyIndex#loadDocs it seems the Document's path as returned by retrievedDoc.get(FieldNames.PATH) starts from the root path of the index. So in this case an example of a document path from the index above could be /home/about-us/news/jcr:content/headerParagraph/shortheader (notice that it's missing the full path to the root of the JCR workspace (specifically missing /content/wcgcom/demo/example in this case)
I believe this could be solved by simply prefixing the document path with filter.getPath(). And looking through the code, it looks like the same problem is present for the spellcheck type queries.
Here's a patch that could potentially fix this (untested):
diff --git a/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java b/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java
index 7e5291f..a262f3e 100644
--- a/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java
+++ b/oak-lucene/src/main/java/org/apache/jackrabbit/oak/plugins/index/lucene/LucenePropertyIndex.java
@@ -464,7 +464,7 @@ public class LucenePropertyIndex implements AdvancedQueryIndex, QueryIndex, Nati
if (topDocs.totalHits > 0) {
for (ScoreDoc doc : topDocs.scoreDocs) {
Document retrievedDoc = searcher.doc(doc.doc);
- if (filter.isAccessible(retrievedDoc.get(FieldNames.PATH))) {
+ if (filter.isAccessible(filter.getPath() + retrievedDoc.get(FieldNames.PATH))) {
queue.add(new LuceneResultRow(suggestion.string));
break;
}
@@ -492,7 +492,7 @@ public class LucenePropertyIndex implements AdvancedQueryIndex, QueryIndex, Nati
if (topDocs.totalHits > 0) {
for (ScoreDoc doc : topDocs.scoreDocs) {
Document retrievedDoc = searcher.doc(doc.doc);
- if (filter.isAccessible(retrievedDoc.get(FieldNames.PATH))) {
+ if (filter.isAccessible(filter.getPath() + retrievedDoc.get(FieldNames.PATH))) {
queue.add(new LuceneResultRow(suggestion.key.toString(), suggestion.value));
break;
}
