searchObjects, searchObjectIterative and countObjects - using clone o…

…f object query because authorization mechanism adds additional (security) filters to the (origin) query. at the end objectQuery contains additional filter as many times as the authz mechanism is called. (MID-6115)

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java

@@ -743,11 +743,15 @@ private void applyDefinitions(Collection<ObjectDelta<? extends ObjectType>> delt
     }
 
     @Override
-    public <T extends ObjectType> SearchResultList<PrismObject<T>> searchObjects(Class<T> type, ObjectQuery query,
+    public <T extends ObjectType> SearchResultList<PrismObject<T>> searchObjects(Class<T> type, ObjectQuery origQuery,
             Collection<SelectorOptions<GetOperationOptions>> rawOptions, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 
         Validate.notNull(type, "Object type must not be null.");
         Validate.notNull(parentResult, "Operation result must not be null.");
+        // using clone of object query here because authorization mechanism adds additional (secuirty) filters to the (original) query
+        // at the end objectQuery contains additional filters as many times as the authZ mechanism is called.
+        // for more info see MID-6115
+        ObjectQuery query = origQuery != null ? origQuery.clone() : null;
         if (query != null) {
             ModelImplUtils.validatePaging(query.getPaging());
         }
@@ -1073,12 +1077,14 @@ protected void logQuery(ObjectQuery query) {
     }
 
     @Override
-    public <T extends ObjectType> SearchResultMetadata searchObjectsIterative(Class<T> type, ObjectQuery query,
+    public <T extends ObjectType> SearchResultMetadata searchObjectsIterative(Class<T> type, ObjectQuery origQuery,
             final ResultHandler<T> handler, final Collection<SelectorOptions<GetOperationOptions>> rawOptions,
             final Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
 
         Validate.notNull(type, "Object type must not be null.");
         Validate.notNull(parentResult, "Result type must not be null.");
+        // see MID-6115
+        ObjectQuery query = origQuery != null ? origQuery.clone() : null;
         if (query != null) {
             ModelImplUtils.validatePaging(query.getPaging());
         }
@@ -1176,10 +1182,12 @@ private void processSearchException(Throwable e, GetOperationOptions rootOptions
     }
 
     @Override
-    public <T extends ObjectType> Integer countObjects(Class<T> type, ObjectQuery query,
+    public <T extends ObjectType> Integer countObjects(Class<T> type, ObjectQuery origQuery,
             Collection<SelectorOptions<GetOperationOptions>> rawOptions, Task task, OperationResult parentResult)
             throws SchemaException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, CommunicationException, ExpressionEvaluationException {
 
+        // see MID-6115
+        ObjectQuery query = origQuery != null ? origQuery.clone() : null;
         OperationResult result = parentResult.createMinorSubresult(COUNT_OBJECTS);
         result.addParam(OperationResult.PARAM_QUERY, query);