Description
WS query for attribute assignments on a stem fails for a non-wheel user.
{{{ }}
{{ "WsRestGetAttributeAssignmentsLiteRequest":{ }}
"attributeAssignType":"stem",
"wsOwnerStemName":"unc:app:its:o365:course:sp18:its:101:its101_sp18_gp02"
}
}
Result is an exception response. Stack trace shows two where clauses in the query:
{{Caused by: org.hibernate.hql.internal.ast.QuerySyntaxException: unexpected token: where near line 1, column 453 [select count(distinct aa) from edu.internet2.middleware.grouper.attr.assign.AttributeAssign aa, edu.internet2.middleware.grouper.attr.AttributeDefName adn , MembershipEntry __attrDefMembershipTNB3J5XM, MembershipEntry __namingMembership where __namingMembership.ownerStemId = aa.ownerStemId and __namingMembership.fieldId in (:TNB3J5XO0, :TNB3J5XO1) and __namingMembership.memberUuid in (:TNB3J5XP0, :TNB3J5XP1) and __namingMembership.enabledDb = 'T' where aa.attributeDefNameId = adn.id and aa.attributeAssignTypeDb = 'stem' and __attrDefMembershipTNB3J5XM.ownerAttrDefId = adn.attributeDefId and __attrDefMembershipTNB3J5XM.fieldId in (:TNB3J5XL0, :TNB3J5XL1) and __attrDefMembershipTNB3J5XM.memberUuid in (:TNB3J5XN0, :TNB3J5XN1) and __attrDefMembershipTNB3J5XM.enabledDb = 'T' and aa.enabledDb = 'T' and aa.ownerStemId in (:TNB3J5XQ0) ]
}}
The issue appears to be in Hib3AttributeAssignDAO, a logic error when adding the optional naming clause. Fixes for me:
@@ -3437,7 +3437,7 @@ public class Hib3AttributeAssignDAO extends Hib3DAO implements AttributeAssignDA
boolean changedQuery = false;if (attributeCheckReadOnAttributeDef) {
- grouperSession.getNamingResolver().hqlFilterStemsWhereClause(
+ changedQuery = grouperSession.getNamingResolver().hqlFilterStemsWhereClause(
grouperSessionSubject, byHqlStatic,
sqlTables, "aa.ownerStemId", NamingPrivilege.ATTRIBUTE_READ_PRIVILEGES);
{{ }}}
Minimal GSH script to verify bug (note values specific to our institution):
import edu.internet2.middleware.grouper.internal.dao.hib3.Hib3AttributeAssignDAO
GrouperSession gs = GrouperSession.startRootSession(true)
Subject s = SubjectFinder.findByIdentifierAndSource("ldapauth/app_its_idm_grouper-ws", "app", true)
GrouperSession session = GrouperSession.start(s)Set<AttributeAssign> assigns = new Hib3AttributeAssignDAO().findStemAttributeAssignments(
null, // attributeAssignIds
null, // attributeDefIds
null, // attributeDefNameIds
["3d23fdfb3cf1468d94a48f23000d7880"], // stemIds
null, // actions
true, // enabled
false, // includeAssignmentsOnAssignments
null, // attributeDefType
null, // attributeDefValueType
null) // theValueprint assigns
I'm also going to look at the tests, so not ready for a commit yet.