Context Navigation

#400 closed defect (fixed)

You can search and discover metadata that are (supposedly) not visible to you.

To reproduce:

Assuming a clean installation of GeoNetwork (no metadata),

(1) Login as admin, load templates, load sample metadata. There now are 7 sample metadata, visible to all, owned by admin.

(2) remove all privileges from one of those 7 metadata and log out

Search by GUI Search button now correctly displays results for the 6 visible metadata. Now try

Included in the results are the metadata you should not be allowed to know about.

Download all attachments as: .zip

Owner:	changed from geonetwork-devel@… to heikki

Fixed this. Patch is for 2.6.x with the following changes:

in LuceneSearcher, remove all user-provided elements that might compromise the search
added a class that models input for LuceneQueryBuilder, rather than passing straight the user-provided JDOM to it
removed _groupOwner from queries made by LQB, as it is useless; replaced by adding the current user's groups to both op0 and op2. Groupsquery also contains owner=currentuser (for metadata without any group privileges) and as before, adds dummy for Administrator users
Groupsquery now has a flat structure where all parts (op0, etc.) are in a union

Tested using both GUI and xml.search.

Attachment:	400.diff added

integrated in 26x and 24x

Status:	new → assigned

Resolution:	→ fixed
Status:	assigned → closed

integrated in trunk revision 7022

Note: See TracTickets for help on using tickets.