Defect content drive search leaks info with limited user#34783
Merged
dario-daza merged 18 commits intomainfrom Mar 4, 2026
Merged
Defect content drive search leaks info with limited user#34783dario-daza merged 18 commits intomainfrom
dario-daza merged 18 commits intomainfrom
Conversation
…-with-limited-user
dario-daza
changed the title
…-with-limited-user
fabrizzio-dotCMS
approved these changes
Mar 3, 2026
ihoffmann-dot
approved these changes
Mar 3, 2026
nollymar
approved these changes
Mar 3, 2026
dario-daza
deleted the
34354-defect-content-drive-search-leaks-info-with-limited-user
branch
oidacra
pushed a commit
that referenced
this pull request
Mar 5, 2026
## Content Drive: Permission Filtering & Cursor-Based Pagination ### Problem Content Drive was not filtering results by user permissions, allowing users to see content they should not have access to. Additionally, the offset-based pagination strategy (startRow) skipped raw DB rows before applying permission filters, which produced sparse or empty pages — items were silently removed from an already-sliced result. ### Solution Content is now filtered by the requesting user's permissions before the page is assembled. The DB is scanned in configurable chunks; after each chunk, inaccessible items are discarded and only user-visible content is accumulated. Scanning stops as soon as enough visible items are collected to fill the page. **This guarantees that:** - Every page contains exactly maxResults items whenever enough visible content exists - Users never see content they are not allowed to read - Restricted users browsing large folders always get correctly sized pages, regardless of how many items are hidden from them **Cursor-based pagination** Both folders and content now use cursor-based pagination instead of an offset: - `contentCursor` — the DB row position where the next content scan should resume - `folderCursor` — the index into the folder list where the next folder page should resume #### The request & response Now returns `nextContentCursor` and `nextFolderCursor`, which clients pass on the next request to continue exactly where the previous page ended — no gaps, no duplicates. Plus we also return hasMore and hasMore to know we could retrieve more content or folders for the next page. Original Request | Proposed Request :-------------------------:|:-------------------------: <img width="446" height="243" alt="image" src="https://github.com/user-attachments/assets/a1537ce6-2e1f-4be6-ad4b-954ac266d048" /> | <img width="423" height="254" alt="image" src="https://github.com/user-attachments/assets/39a41c41-3bd2-4900-870e-ff7bf0579856" /> **Original Response** | **Proposed Response** <img width="282" height="223" alt="image" src="https://github.com/user-attachments/assets/90e32e37-18a9-4042-b24a-6d8d4efe647a" /> | <img width="254" height="277" alt="image" src="https://github.com/user-attachments/assets/c69e9372-204c-4785-8f91-29cb35fb5eb6" /> This PR fixes: #34354
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Content Drive: Permission Filtering & Cursor-Based Pagination
Problem
Content Drive was not filtering results by user permissions, allowing users to see content they should not have access to. Additionally, the offset-based pagination strategy (startRow) skipped raw DB rows before applying permission filters, which produced sparse or empty pages — items were silently removed from an already-sliced result.
Solution
Content is now filtered by the requesting user's permissions before the page is assembled. The DB is scanned in configurable chunks; after each chunk, inaccessible items are discarded and only user-visible content is accumulated. Scanning stops as soon as enough visible items are collected to fill the page.
This guarantees that:
Cursor-based pagination
Both folders and content now use cursor-based pagination instead of an offset:
contentCursor— the DB row position where the next content scan should resumefolderCursor— the index into the folder list where the next folder page should resumeThe request & response
Now returns
nextContentCursorandnextFolderCursor, which clients pass on the next request to continue exactly where the previous page ended — no gaps, no duplicates.Plus we also return hasMore and hasMore to know we could retrieve more content or folders for the next page.
This PR fixes: #34354
This PR fixes: #34354