From c4895cd63510ba9201e7514f3ac065e0496b1b3c Mon Sep 17 00:00:00 2001
From: tusmester <tusmester@gmail.com>
Date: Thu, 10 Aug 2017 13:44:37 +0200
Subject: [PATCH] Suppress field errors when serving a content through odata.
 (#144)

This change makes odata responses more robust. If a security error occurs during formatting a field (e.g. a field tries to access another content that the user does not have access to), it makes the whole response invalid by returning an error code. This change suppresses that exception and silently returns a *null* value.
---
 src/Services/OData/ODataFormatter.cs | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Services/OData/ODataFormatter.cs b/src/Services/OData/ODataFormatter.cs
index 914db859e..612187129 100644
--- a/src/Services/OData/ODataFormatter.cs
+++ b/src/Services/OData/ODataFormatter.cs
@@ -869,7 +869,19 @@ internal static object GetJsonObject(Field field, string selfUrl)
             {
                 return ODataReference.Create(String.Concat(selfUrl, "/", field.Name));
             }
-            data = field.GetData();
+            try
+            {
+                data = field.GetData();
+            }
+            catch (SenseNetSecurityException)
+            {
+                // The user does not have access to this field (e.g. cannot load
+                // a referenced content). In this case we serve a null value.
+                data = null;
+
+                SnTrace.Repository.Write("PERMISSION warning: user {0} does not have access to field '{1}' of {2}.", User.LoggedInUser.Username, field.Name, field.Content.Path);
+            }
+
             var nodeType = data as NodeType;
             if (nodeType != null)
                 return nodeType.Name;