Expected behavior
A new search or a saved search using the Advanced Object Search Bundle should work for both admin and non-admin users, regardless of the field names used in the object class (including fields named key).
Actual behavior
When a non-admin user executes a saved search on a class that contains a field named key, the system returns an HTTP 500 error. The stack trace shows a SQL syntax error caused by the unescaped usage of the reserved keyword key in a dynamically built permission-related SQL condition.
Excerpt from error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key),cpath)=1 ORDER BY LENGTH(cpath) DESC LIMIT 1)=1' at line 2
The issue does not occur for admin users, as permission filtering behaves differently.
Steps to reproduce
- Create a DataObject class (e.g. Product) and add a field with the technical name key
- Create a saved search using the Advanced Object Search interface
- Assign the search to be usable by non-admin users
- Log in as a non-admin user and load the saved search
Observe the HTTP 500 error in the browser and check the logs for SQL errors
Expected behavior
A new search or a saved search using the Advanced Object Search Bundle should work for both admin and non-admin users, regardless of the field names used in the object class (including fields named key).
Actual behavior
When a non-admin user executes a saved search on a class that contains a field named key, the system returns an HTTP 500 error. The stack trace shows a SQL syntax error caused by the unescaped usage of the reserved keyword key in a dynamically built permission-related SQL condition.
Excerpt from error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key),cpath)=1 ORDER BY LENGTH(cpath) DESC LIMIT 1)=1' at line 2The issue does not occur for admin users, as permission filtering behaves differently.
Steps to reproduce
Observe the HTTP 500 error in the browser and check the logs for SQL errors