Merge branch 'develop' into extractor-catalog-labels

Author: max-zilla

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## Unreleased
+
+### Fixed
+- Fixed permissions checks on search results for search interfaces that would cause misleading counts. [#60](https://github.com/clowder-framework/clowder/issues/60)
+
 ## 1.12.0 - 2020-10-19
 **_Warning:_**
 - This update modifies the MongoDB schema. Make sure to start the application with `-DMONGOUPDATE=1`.
@@ -24,7 +29,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Ignore the `update` field when posting to `/api/extractors`. [#89](https://github.com/clowder-framework/clowder/issues/89)
 - Search results were hardcoded to be in batches of 2.
 
-# 1.11.2 - 2020-10-13
+## 1.11.2 - 2020-10-13
 
 ### Fixed
 - Clowder healthcheck was not correct, resulting in docker-compose never thinking it was healthy. This could also result 

app/api/Search.scala

@@ -1,8 +1,7 @@
 package api
 
 import api.Permission._
-import services.{RdfSPARQLService, DatasetService, FileService, CollectionService, PreviewService, SpaceService,
-MultimediaQueryService, ElasticsearchPlugin}
+import services.{RdfSPARQLService, PreviewService, SpaceService, MultimediaQueryService, ElasticsearchPlugin}
 import play.Logger
 import scala.collection.mutable.{ListBuffer, HashMap}
 import util.{SearchUtils, SearchResult}
@@ -15,9 +14,6 @@ import models._
 
 @Singleton
 class Search @Inject() (
-   files: FileService,
-   datasets: DatasetService,
-   collections: CollectionService,
    previews: PreviewService,
    queries: MultimediaQueryService,
    spaces: SpaceService,
@@ -49,10 +45,16 @@ class Search @Inject() (
           (tag match {case Some(x) => s"&tag=$x" case None => ""})
 
         // Add space filter to search here as a simple permissions check
-        val permitted = spaces.listAccess(0, Set[Permission](Permission.ViewSpace), request.user, true, true, false, false).map(sp => sp.id)
+        val superAdmin = request.user match {
+          case Some(u) => u.superAdminMode
+          case None => false
+        }
+        val permitted = if (superAdmin)
+          List[UUID]()
+        else
+          spaces.listAccess(0, Set[Permission](Permission.ViewSpace), request.user, true, true, false, false).map(sp => sp.id)
 
         val response = plugin.search(query, resource_type, datasetid, collectionid, spaceid, folderid, field, tag, from_index, size, permitted, request.user)
-
         val result = SearchUtils.prepareSearchResponse(response, source_url, request.user)
         Ok(toJson(result))
       }
@@ -70,8 +72,19 @@ class Search @Inject() (
 
       current.plugin[ElasticsearchPlugin] match {
         case Some(plugin) => {
+          // Add space filter to search here as a simple permissions check
+          val superAdmin = request.user match {
+            case Some(u) => u.superAdminMode
+            case None => false
+          }
+          val permitted = if (superAdmin)
+            List[UUID]()
+          else
+            spaces.listAccess(0, Set[Permission](Permission.ViewSpace), request.user, true, true, false, false).map(sp => sp.id)
+
+
           val queryList = Json.parse(query).as[List[JsValue]]
-          val response = plugin.search(queryList, grouping, from, size, user)
+          val response = plugin.search(queryList, grouping, from, size, permitted, user)
 
           // TODO: Better way to build a URL?
           val source_url = s"/api/search?query=$query&grouping=$grouping"

app/services/ElasticsearchPlugin.scala

@@ -41,6 +41,7 @@ class ElasticsearchPlugin(application: Application) extends Plugin {
   val folders: FolderService = DI.injector.getInstance(classOf[FolderService])
   val datasets: DatasetService = DI.injector.getInstance(classOf[DatasetService])
   val collections: CollectionService = DI.injector.getInstance(classOf[CollectionService])
+  val spaces: SpaceService = DI.injector.getInstance(classOf[SpaceService])
   val queue: ElasticsearchQueue = DI.injector.getInstance(classOf[ElasticsearchQueue])
   var client: Option[TransportClient] = None
   val nameOfCluster = play.api.Play.configuration.getString("elasticsearchSettings.clusterName").getOrElse("clowder")
@@ -119,15 +120,16 @@ class ElasticsearchPlugin(application: Application) extends Plugin {
   }
 
   /** Prepare and execute Elasticsearch query, and return list of matching ResourceRefs */
-  def search(query: List[JsValue], grouping: String, from: Option[Int], size: Option[Int], user: Option[User]): ElasticsearchResult = {
+  def search(query: List[JsValue], grouping: String, from: Option[Int], size: Option[Int],
+             permitted: List[UUID], user: Option[User]): ElasticsearchResult = {
     /** Each item in query list has properties:
       *   "field_key":      full name of field to query, e.g. 'extractors.wordCount.lines'
       *   "operator":       type of query for this term, e.g. '=='
       *   "field_value":    value to search for using specified field & operator
       *   "extractor_key":  name of extractor component only, e.g. 'extractors.wordCount'
       *   "field_leaf_key": name of immediate field only, e.g. 'lines'
       */
-    val queryObj = prepareElasticJsonQuery(query, grouping)
+    val queryObj = prepareElasticJsonQuery(query, grouping, permitted, user)
     accumulatePageResult(queryObj, user, from.getOrElse(0), size.getOrElse(maxResults))
   }
 
@@ -759,7 +761,7 @@ class ElasticsearchPlugin(application: Application) extends Plugin {
   }
 
   /** Convert list of search term JsValues into an Elasticsearch-ready JSON query object **/
-  def prepareElasticJsonQuery(query: List[JsValue], grouping: String): XContentBuilder = {
+  def prepareElasticJsonQuery(query: List[JsValue], grouping: String, permitted: List[UUID], user: Option[User]): XContentBuilder = {
     /** OPERATORS
       *  :   contains (partial match)
       *  ==  equals (exact match)
@@ -805,6 +807,36 @@ class ElasticsearchPlugin(application: Application) extends Plugin {
         builder.startObject().startObject("exists").field("field", key).endObject().endObject()
       })
 
+      // Apply appropriate permissions filters based on user/superadmin
+      user match {
+        case Some(u) => {
+          if (!u.superAdminMode) {
+            builder.startObject.startObject("bool").startArray("should")
+
+            // Restrict to spaces the user is permitted access to
+            permitted.foreach(ps => {
+              builder.startObject().startObject("match").field("child_of", ps.stringify).endObject().endObject()
+            })
+
+            // Also include anything the user owns
+            builder.startObject().startObject("match").field("creator", u.id.stringify).endObject().endObject()
+
+            builder.endArray().endObject().endObject()
+          }
+        }
+        case None => {
+          // Metadata search is not publicly accessible so this shouldn't happen, public filter
+          builder.startObject.startObject("bool").startArray("should")
+
+          // TODO: Does this behave properly with public spaces?
+          spaces.list.foreach(ps => {
+            builder.startObject().startObject("match").field("child_of", ps.id.stringify).endObject().endObject()
+          })
+
+          builder.endArray().endObject().endObject()
+        }
+      }
+
       builder.endArray()
     }
 
@@ -943,7 +975,7 @@ class ElasticsearchPlugin(application: Application) extends Plugin {
       }
     })
 
-    // If user is superadmin or there is no user, no filters applied
+    // Apply appropriate permissions filters based on user/superadmin
     user match {
       case Some(u) => {
         if (!u.superAdminMode) {
@@ -967,7 +999,15 @@ class ElasticsearchPlugin(application: Application) extends Plugin {
         }
       }
       case None => {
-        // Calling this with no user should only happen internally (e.g. listTags) so no filter
+        // Metadata search is not publicly accessible so this shouldn't happen, public filter
+        builder.startObject.startObject("bool").startArray("should")
+
+        // TODO: Does this behave properly with public spaces?
+        spaces.list.foreach(ps => {
+          builder.startObject().startObject("match").field("child_of", ps.id.stringify).endObject().endObject()
+        })
+
+        builder.endArray().endObject().endObject()
       }
     }
 

app/util/SearchUtils.scala

@@ -291,12 +291,28 @@ object SearchUtils {
     var results = ListBuffer.empty[JsValue]
 
     // Use bulk Mongo queries to get many resources at once
-    val filesList = files.get(Permission.checkPermissions(user, Permission.ViewFile,
-      response.results.filter(_.resourceType == 'file)).approved.map(_.id)).found
-    val datasetsList = datasets.get(Permission.checkPermissions(user, Permission.ViewDataset,
-      response.results.filter(_.resourceType == 'dataset)).approved.map(_.id)).found
-    val collectionsList = collections.get(Permission.checkPermissions(user, Permission.ViewCollection,
-      response.results.filter(_.resourceType == 'collection)).approved.map(_.id)).found
+    val superAdmin = user match {
+      case Some(u) => u.superAdminMode
+      case None => false
+    }
+
+    val filesList = if (superAdmin)
+      files.get(response.results.filter(_.resourceType == 'file).map(_.id)).found
+    else
+      files.get(Permission.checkPermissions(user, Permission.ViewFile,
+        response.results.filter(_.resourceType == 'file)).approved.map(_.id)).found
+
+    val datasetsList = if (superAdmin)
+      datasets.get(response.results.filter(_.resourceType == 'dataset).map(_.id)).found
+    else
+      datasets.get(Permission.checkPermissions(user, Permission.ViewDataset,
+        response.results.filter(_.resourceType == 'dataset)).approved.map(_.id)).found
+
+    val collectionsList = if (superAdmin)
+      collections.get(response.results.filter(_.resourceType == 'collection).map(_.id)).found
+    else
+      collections.get(Permission.checkPermissions(user, Permission.ViewCollection,
+        response.results.filter(_.resourceType == 'collection)).approved.map(_.id)).found
 
     // Now reorganize the separate lists back into Elasticsearch score order
     for (resource <- response.results) {

app/views/metadatald/search.scala.html

@@ -464,34 +464,36 @@ <h1>Search Metadata within Space: "@space.name"</h1>
                 count += resp.scanned_size;
                 searching = false;
 
-                // Correctly increment skipped count
+                // Correctly increment skipped count if we are missing results but have no more pages
                 if (resp.count != resp.total_size) {
                     if (resp.size > 0) {
                         if (resp.total_size < resp.scanned_size)
                             skipped_count += (resp.total_size - resp.count);
-                        else
+                        else if (resp.total_size > (resp.from+resp.count)) // last page case
                             skipped_count += (resp.scanned_size - resp.count);
                     } else if (resp.hasOwnProperty('next') || resp.total_size == resp.scanned_size) {
+                        // We got size zero result, but ES reports there should be some in total_size
                         skipped_count += resp.total_size
                     }
                 }
 
+                $('#resultstitle').html('<h3>Results</h3>');
+
+                // Convert results into displayed list
+                if (from_count > 0) {
+                    parseSearchResults(resp, status, err, false)
+                } else {
+                    parseSearchResults(resp, status, err)
+                }
+
                 if (resp.count == 0) {
                     found_all = true;
                     if (skipped_count>0)
                         $('#resultsfooter').append("<i><b>All results displayed (omitted "+skipped_count+" results due to insufficient permissions).</b></i>");
                     else
                         $('#resultsfooter').append("<i><b>All results displayed.</b></i>");
-                    $('#resultsfooter').append("<br/>&nbsp;<br/>")
-                }
-
-                $('#resultstitle').html('<h3>Results ('+resp.total_size+')</h3>');
 
-                // Convert results into displayed list
-                if (from_count > 0) {
-                    parseSearchResults(resp, status, err, false)
-                } else {
-                    parseSearchResults(resp, status, err)
+                    $('#resultsfooter').append("<br/>&nbsp;<br/>")
                 }
             });
 

app/views/searchResults.scala.html

@@ -173,7 +173,7 @@ <h1>Search</h1>
                     if (resp.size > 0) {
                         if (resp.total_size < resp.scanned_size)
                             skipped_count += (resp.total_size - resp.count);
-                        else
+                        else if (resp.total_size > (resp.from+resp.count))
                             skipped_count += (resp.scanned_size - resp.count);
                     } else if (resp.hasOwnProperty('next') || resp.total_size == resp.scanned_size) {
                         skipped_count += resp.total_size
@@ -189,7 +189,7 @@ <h1>Search</h1>
                     $('#resultsfooter').append("<br/>&nbsp;<br/>")
                 }
 
-                $("#resultheader").html("<h3>Results ("+resp.total_size+")</h3>");
+                $("#resultheader").html("<h3>Results</h3>");
 
                 updateResults(resp, empty);
                 // On initial page load, call this again just in case we have room to show more