It's all about the answers!

Ask a question

How to use API (advisor) to query and list restricted work items?


Bruno Braga (48013621) | asked Nov 01 '13, 12:23 p.m.
edited Nov 02 '13, 11:07 a.m.
Hi,

I'm using that code to find work items from an Advisor. Now I'm facing a problem: that query is returning work items based on logged user profile. So if a specific user doesn't have access to a specific work item, that query is not returning that specific work item. 
To my advisor is important to find that work item and check some atributes.

How to execute that query using an "admin" user or add an option to ignore current user permissions / profile?
WorkItemQueryModel model= WorkItemQueryModel.ROOT;
IItemQuery query = IItemQuery.FACTORY.newInstance(model);
IPredicate predicatePA = model.projectArea()._eq(query.newItemHandleArg());
IPredicate predicateIterator = model.target()._eq(query.newItemHandleArg());
IPredicate predicateType = model.workItemType()._eq(query.newStringArg());
IPredicate predicate = predicatePA._and(predicateIterator)._and(predicateType);
query.filter(predicate);

com.ibm.team.workitem.common.internal.util.ItemQueryIterator<IWorkItemHandle> iterator = new com.ibm.team.workitem.common.internal.util.ItemQueryIterator<IWorkItemHandle>(auditableCommon, query, new Object[] { projectArea, iterationHandle, workItemType });

List<IWorkItem> workItems = auditableCommon.resolveAuditables(iterator.toList(monitor), profile, monitor); 

Comments
1
sam detweiler commented Nov 02 '13, 9:31 a.m.

I believe the advisor runs in the context of the user making the workitem change, there is no method to change that, that I know of.

Accepted answer


permanent link
Ralph Schoon (60.5k33643) | answered Nov 05 '13, 9:53 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
In that case I would suggest to think about creating a service such as the e-mail notification service or another asynchronous task that runs in a different user context. Jorge provides an example that might be a starting point here: http://jorgediazblog.wordpress.com/2013/06/28/rtc-custom-scheduled-async-task-example-explained/

You can find the E-Mail Notification code in the SDK, I found it recently, I would search the SDK for 'mail' or something.

I am not sure if there are drawbacks with that approach e.g. potential conflicts if the asynchronous task writes the work items.
Bruno Braga selected this answer as the correct answer

Comments
sam detweiler commented Nov 05 '13, 10:07 a.m.

Problem is he wants this synchronous with the save..

I suppose you could use the asynch task, and 'hope' that the linking happens soon enough that no one will complain.

also, I don't think you can pass parameters to these async tasks from outside, unless you design your own linked list message storage facility

also, and maybe more importantly, you should NOT be changing the workitem in the advisor. but more properly in a participant.   Maybe the participant runs in admin context (don't remember)


Bruno Braga commented Nov 05 '13, 10:32 a.m.

Ok.

Using that approach I will lost something... Like: today (removing the read access protection) I could validate if [Work Item 123] exists and show a message to user: you can't create [New Work Item 456] to that iteration because there is no "Service Request" work item associated with that iteration.

So I could find the Service Request work items, validate if it exists and link if it was found.
Using a asynchronous job the end user could create many tasks to iteration that don't have service request and it will be a problem to project reports.

But, maybe it is the only way... :/


Ralph Schoon commented Nov 05 '13, 10:39 a.m. | edited Nov 05 '13, 10:40 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Yes, never modify in an advisor.

I don't know a better way. Others might, but I would be surprised. The participants and advisors, as far as I can tell, run in the context of the user that saves. I don't know if there is a way to elevate the user.

You can probably communicate information. At least I have heard that. the additional save parameters used in participants are only one example.

Please be aware that there is an issue with creating links in a participant as well, see: https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/288105

I am not sure if that applies to all link types, but it prevents creation of back links due to a database lock on the work item that is processed by the participant, as I learned only recently.

3 other answers



permanent link
Bruno Braga (48013621) | answered Nov 02 '13, 11:07 a.m.
 Is it possible to run that query with another user?

Comments
sam detweiler commented Nov 02 '13, 11:10 a.m.

i am not aware of a way to run under a different user context


permanent link
Ralph Schoon (60.5k33643) | answered Nov 02 '13, 3:28 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
 If the user running the advisor does not have access to the query results, the only thing you can tell from the result is,  if there are restricted work items. You could decide on that if the advisor should fail. I don't think you can hack the user context.

Comments
sam detweiler commented Nov 02 '13, 3:35 p.m.

I think the user has access to everything in the query results, but maybe everything needed is not IN the query results at all. so you cannot tell (from the result array) that items are not present, cause the user shouldn't see them anyhow.

rules based on admin level access to ALL content are problematic, and invite security breaches.


Ralph Schoon commented Nov 04 '13, 4:03 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I know there is a permission aware API that allows you to at least get the handles to items you don't have permission to or that do not show up for other reasons. I am not sure if the permission aware API is accessible from queries. A quick look did not reveal it, so you will most likely only see the results you have access to.


permanent link
Bruno Braga (48013621) | answered Nov 05 '13, 9:44 a.m.
My scenario is complicate...

[Work Item 123]
[New Work Item 456]

A specific user is creating the [New Work Item 456] and don't have read access to [Work Item 123].
But using a advisor (precondition or follow-up action) I have to link [New Work Item 456] with [Work Item 123].
To create that link I have to execute a query and find the [Work Item 123] by type and iteration.

My problem is: if [Work Item 123] is protected (read access) I can't find it running a query on that user context.

I would like to change the user context to could find all work items or user the query API to create a query with some parameter that could ignore the read access protection.

Your answer


Register or to post your answer.