Search API handles roles wrong

Steps to reproduce

Steps to reproduce:
1. Ingest a video, publish it to engage and set the access policy to private (role ROLE_USER_ADMIN has read access).
2. Create a user with role ROLE_USER (as is the case with LTI user)
3. Login as this user (e.g. in Engage UI)

Actual Results: This user can access the ingested video.

Expected Results: This user has no access to the video.

Workaround (if any): none

Problem:
The problem lies in the query that is send to Solr:

`": AND oc_organization:mh_default_org AND (oc_acl_read:ROLE_USER_TEST OR oc_acl_read:ROLE_ANONYMOUS OR oc_acl_read:ROLE_USER) AND -oc_mediatype:Series AND -oc_deleted:[* TO *]"`

Since ROLE_USER is a sub string of ROLE_USER_ADMIN, Solr is returning this entry. A fix would be to store the role always enclose in some sort of symbols (e.g. comma) and require that in the search query.

Status

Assignee

Unassigned

Reporter

Matthias Neugebauer

Severity

Security

Tags (folksonomy)

None

Fix versions

Affects versions

2.2.2

Priority

Major