-
Bug
-
Resolution: Done
-
Blocker
-
4.0.0.Alpha2
-
None
MODE-2173 addressed this issue in the '3.x' and '3.7.x' branches, and it also applied the same fix to the 'master' branch. However, in 'master' the new query engine no longer processes the nodes quite as cleanly. As hchiorean mentions in a comment on that issue:
all the client-exposed query iterators (node/row iterators) rely on "low-level" query information provided by the Batch and Sequence classes. Those in turn operate on a "cache-level", meaning they aren't aware of any JCR permissions.
This means that the QueryResultIterator class and its subclasses have to change to implement the full RangeIterator contract correctly (taking into account permissions). There are however aspects which will make this difficult:
- Batch instances are initialized empty and lazily incremented on nextRow. Considering that the nextRow might return an invalid row (for which there are no permissions) the hasNext and moveToNextRow methods need to be changed. IMO this is not trivial and the ideal solution would be really for the Batch class to be aware of the permissions aspect, but not sure if that's possible/desirable.
- RangeIterator#getSize returns atm the size of the Sequence. This is not correct anymore because nodes may not be accessible permissions-wise. I don't really see how this could be changed, so -1 seems to be the only viable option if ACLs are enabled.
At this time, it's not clear whether it'd be better to handle this within the batch-level of higher up in the results: there are pros/cons to each approach. More discussion to follow in the comments below.