New users cannot log in: RepositoryException PathNotFoundException for /okm:personal (OpenKM 6.3.13

[Ethan.Yang]

Hi,

I’m running OpenKM Community 6.3.13-DEV (build: 058e5bf) on Linux with MySQL.
The repository has been in production use for some time and existing users can log in and work normally.

Recently I tried to create a new user, but that user cannot log in.
After entering the username and password, the browser shows the following error:

Code: Select all

com.openkm.core.RepositoryException: PathNotFoundException: 51fab7f8-42fd-4b3e-b9f1-861d2cf9ecf1 : /okm:personal
Go to login page

Before that I also saw a very similar error for /okm:trash:

Code: Select all

com.openkm.core.RepositoryException: PathNotFoundException: d5c197fc-b2ec-4bb4-8ab4-022bda2320cc : /okm:trash
Go to login page

Some details about my configuration and what I have already tried:

1) The new user was originally created with only a custom role (for example OME_Group).
After the error I also added ROLE_USER (and I tested once with ROLE_ADMIN as well),
but the problem with /okm:personal still appeared.

2) Existing users (including Administrator) can log in without any problem and work with documents as usual.

3) In the Desktop view I can see:
- okm:root under Taxonomy
- okm:categories under Categories
- The My documents, E-mail and Trash stacks

4) Under Trash I can see okm:trash and multiple per-user folders (EthanYang, F200001, F200005, etc.),
and trash works fine for existing users, so /okm:trash seems to exist.

5) In the Security tab I have already granted ROLE_USER read / write / delete permissions recursively on:
- okm:root
- okm:categories
- okm:templates
- okm:trash
and also on the personal folders that belong to existing users.

6) I cannot simply recreate the whole repository with hibernate.hbm2ddl=create,
because we already have a lot of production documents stored in this instance.

7) As a workaround, I found that if I temporarily assign both ROLE_ADMIN and ROLE_USER to the new user,
the user can log in successfully.
After the first login (when the personal folders are created),
I can remove ROLE_ADMIN and leave only ROLE_USER plus the custom roles,
and the user continues to work normally.
So the error only happens on the very first login when the user does NOT have ROLE_ADMIN.

Because of this, I suspect that the problem is related to the permissions on the system node /okm:personal
(and maybe also /okm:trash): for a normal user the system throws PathNotFoundException,
but with ROLE_ADMIN it can create the personal folders and everything works afterwards.

My questions:

1) What is the correct way to diagnose and repair the /okm:personal (and possibly /okm:trash) system nodes
in an existing repository without losing data?

2) Is there any SQL I can run on the database (for example on OKM_NODE_BASE or related tables) to:
- verify that the /okm:personal node exists and is correct, or
- recreate / fix it safely?

3) Could this problem be caused by a previous misconfiguration of security on the system nodes,
and if so, what are the recommended default ACLs for /okm:personal and /okm:trash?

If needed, I can provide the full stack trace from openkm.log and more screenshots of my configuration.

Thank you very much for any guidance.

Best regards,
Ethan

[jllort]

That happens because the users do not have the ROLE_USER, or because you have changed the security in the /okm:trash ( and the other affected nodes ), because at this level the ROLE_USER should have all the grants ( RWD etc... )

[Ethan.Yang]

Hi, thanks for your reply.

I have re-checked both points you mentioned:

1) All my users, including the problematic one (for example user F200001), DO have ROLE_USER.
The new user initially had only a custom role (OME_Group), but now it has:
- ROLE_USER
- OME_Group
(and for testing I also temporarily added ROLE_ADMIN, see below).

2) On the affected nodes I have given ROLE_USER full grants (R / W / D / security) recursively.

For example:
- /okm:root → ROLE_USER = R W D (applied recursively)
- /okm:categories → ROLE_USER = R W D (applied recursively)
- /okm:templates → ROLE_USER = R W D (applied recursively)
- /okm:trash → ROLE_USER = R W D (applied recursively)

Under “Trash” in the Desktop I can see `okm:trash` and several per-user folders
(EthanYang, F200001, F200005, okmAdmin, system, etc.), and trash works fine
for all existing users.

However, the problem with `/okm:personal` still happens **only on the first login** when the user does NOT have ROLE_ADMIN.

Workaround I found:

- If I temporarily assign BOTH ROLE_ADMIN and ROLE_USER to the new user,
the user can log in successfully.
- After that first login (when OpenKM creates the personal folders),
I can remove ROLE_ADMIN and leave only ROLE_USER + OME_Group, and the user continues
to work normally.

So once the personal folder has been created, ROLE_USER is enough and everything works.
The error only appears before the personal folder exists, and only when the user
logs in without ROLE_ADMIN.

Because of this behaviour I suspect there is still something wrong with the ACL
of the system node `/okm:personal` itself (not only `/okm:trash`).

Could you please clarify:

1) Which node in the UI corresponds exactly to `/okm:personal` so that I can check
its security settings? In the Desktop I see “My documents” with per-user folders,
but I do not see a node explicitly named `/okm:personal`.

2) What are the recommended default ACLs for `/okm:personal` and `/okm:trash`?
For example, should ROLE_USER have R W D + security on these nodes at the root level?

3) Is there any SQL I can run on the database (OKM_NODE_BASE and related tables)
to verify that the `/okm:personal` node exists and has the correct security entries,
or to repair it if it is inconsistent?

I can attach the full stack trace from openkm.log and screenshots of the current
security configuration if that helps.

Thanks again for your support.

[jllort]

okm:personal should have ROLE_USER ( read access ) or create a new profile -> remove the access to the personal and assign to these users