StringBasedMongoQuery handles complex expression parameters incorrectly. [DATAMONGO-1244]

[spring-projects-issues]

Thomas Darimont opened DATAMONGO-1244 and commented

Currently the regex based expression parameter scanning is too weak to handle nested object expressions like:

{'id':?#{ [0] ? { $exists :true} : [1] }}

which currently yields the invalid mongo query:

{'id':?expr0 : [1] }}

instead of:

{'id':'?expr0'}

Further more, if complex parameter objects are passed as expressions
they get unnecessarily quoted which could yield wrong results.
E.g:

@{'id':?#{ [0] ? { $exists :true} : [1] }, 'foo':42, 'bar': ?#{ [0] ? { $exists :false} : [1] }}

Currently results in:

@{'id':"{ \"$exists\" :true}", 'foo':42, 'bar': 'foo' }}

when finally rendered.

This prevents the effective use of SpEL based parameter expressions
to be used for dynamic filtering with Spring Security as it is currently possible
with Spring Data JPA.

With this fixed one could easily perform filtering based on Spring Security context information in Spring Data MongoDB Repositories:

public interface PersonRepository extends CrudRepository<Person, String> {

	@Query("{id: ?#{ hasRole('ROLE_ADMIN') ? {$exists:true} : principal.id}}")
	List<Person> findAllForCurrentUserById();
}

---

Affects: 1.8 M1 (Gosling)

Referenced from: pull request #306

[spring-projects-issues]

Thomas Darimont commented

Please revise

[spring-projects-issues]

Thomas Darimont commented

Oliver Drotbohm thanks for polishing :)

Don't forget to merge the demo for this in the spring-data-examples: spring-projects/spring-data-examples#108

Cheers,
Thomas