Asset Listing works as System Admin but not as LDAP User with Admin Permissions

nnhubbard · 2014-09-02 21:05:24 UTC

We have some internal pages that list Form Submissions assets (3335 assets). There are 50 per page with pagination so that our users can navigate the records.

Strange thing is, as a System Admin I can easily view the Asset Listing and it loads in a matter of seconds. But, we have a User Group with LDAP users inside, given Write (and tried Admin) permission to the Form Submissions folder so that they can see them in the listing. When loading the page it basically dies when trying to print the Asset Listing and we get the error in the logs:

13:57:21 - 02 Sep
User: Root User (12)
Level: Matrix WarningListing page #131304 is trying to list 3335 assets, which exceeds the performance monitor threshold of 1000
Raw Entry:[2014-09-02 13:57:30][64116:CN=Nic Hubbard [nnhubbard],OU=Employees,OU=Users,OU=PUC,DC=puc,DC=edu:Nic Hubbard &#91;nnhubbard&#93;]

[512:matrix warning][ ] Listing page #131304 is trying to list 3335 assets, which exceeds the performance monitor threshold of 1000

Was also getting the following error, but has since disappeared since adding more MB to Web Memory Limit:

[02-Sep-2014 13:34:34] PHP Fatal error: Allowed memory size of 201326592 bytes exhausted (tried to allocate 17886 bytes) in /opt/matrix/core/lib/DAL/DAL.inc on line 798

Why is this happening with the LDAP User (I also tried a User asset) but not with a System Admin? I totally understand that a System Admin needs no permission checks, but wouldn't Admin Read access to those Submission logs do the trick?

joel · 2014-09-03 00:42:16 UTC

Strange thing is, as a System Admin I can easily view the Asset Listing and it loads in a matter of seconds.

Doesn't a system admin account skip asset permissions checks or something along those lines? Even if an LDAP user has admin permission it would still need to go through the normal checking mechanism to determine that.

nnhubbard · 2014-09-03 03:09:42 UTC

Doesn't a system admin account skip asset permissions checks or something along those lines? Even if an LDAP user has admin permission it would still need to go through the normal checking mechanism to determine that.

Maybe I need to go with a What's New page...

tomchadwin · 2014-09-03 09:23:10 UTC

Slightly long shot, but is workflow applied to those pages? We ran into a major problem with LDAP, which ground performance to a halt. Squiz tentatively diagnosed it as a conflict between LDAP and workflow, but they'd never seen the issue before. We never got to the bottom of it, sadly.

nnhubbard · 2014-09-03 15:52:28 UTC

Slightly long shot, but is workflow applied to those pages? We ran into a major problem with LDAP, which ground performance to a halt. Squiz tentatively diagnosed it as a conflict between LDAP and workflow, but they'd never seen the issue before. We never got to the bottom of it, sadly.

No, we don't use Workflow, so that can't be the issue.

aleks · 2014-09-04 09:22:32 UTC

The issue is probably matrix checking ldap and users permissions and querying the database for all 3335 assets.

It you're seeing fatal errors from the database layer - then you're pretty much f!cked doing it this way.

My suggestion is to find another way to do it - or don't attempt to list so many assets.

nnhubbard · 2014-09-04 15:21:03 UTC

The issue is probably matrix checking ldap and users permissions and querying the database for all 3335 assets.

It you're seeing fatal errors from the database layer - then you're pretty much f!cked doing it this way.

My suggestion is to find another way to do it - or don't attempt to list so many assets.

Yeah, I moved to a What's News asset and only listed the previous month's submissions.

Sad though, that there isn't a way to have a listing on the frontend that can list this many assets, even paginated, similar to how the Submission Logs screen works.

Bart · 2014-09-08 23:05:17 UTC

Maybe the LDAP connection is taking to long to do the permission checking? In 5.1, we've added LDAP caching (http://manuals.matrix.squizsuite.net/patches/5.1.0.0) in order to improve performance for LDAP bridges and not require Matrix to do an LDAP call for every permission check, this might be what you need.

Another option would be to maybe put a REST asset infront of the asset listing as a proxy asset, where the REST asset calls the listing with specific user credentials. That might also get around your permission performance issue. Although if they only need to view the submissons, don't they only need Read access?

nnhubbard · 2014-09-08 23:12:31 UTC

We actually did just update to 5.1.1 and I just tested the page and it does work now. Seems like the LDAP caching feature helped!

Thanks!

fuzzi81 · 2014-09-09 12:54:58 UTC

Hey Bart - with LDAP caching just this feature would you think it’s worth upgrading from 4.18.0?

Bart · 2014-09-18 06:23:08 UTC

If you are wondering if it's worth upgrading from 4.18 to 5.1, I would say a big YES seeing as 5.1 has soooo many other awesome new features in it. The LDAP caching is also just one of them, I think other improvements and bug fixes have gone into the LDAP caching since 4.18.

Checkout the release notes for 5.0 and 5.1 to see what you would get:

http://manuals.matrix.squizsuite.net/patches/5.0.0.0

http://manuals.matrix.squizsuite.net/patches/5.1.0.0