diff --git a/services/search/pkg/search/service.go b/services/search/pkg/search/service.go index 2c7f4ce842..f7ae9ca5dc 100644 --- a/services/search/pkg/search/service.go +++ b/services/search/pkg/search/service.go @@ -246,9 +246,18 @@ func (s *Service) searchIndex(ctx context.Context, req *searchsvc.SearchRequest, return nil, err } - ownerCtx, err := getAuthContext(&user.User{Id: space.Owner.Id}, s.gatewaySelector, s.secret, s.logger) - if err != nil { - return nil, err + var ownerCtx context.Context + if space.Owner.Id.Type == user.UserType_USER_TYPE_SPACE_OWNER { + // We can't impersonate SPACE_OWNER users and have to fall back to using the user auth instead, + // which will not resolve the absolute path of the share in the space but only the part the user + // is allowed to see. + // In the future this problem can be solved using service accounts. + ownerCtx = ctx + } else { + ownerCtx, err = getAuthContext(&user.User{Id: space.Owner.Id}, s.gatewaySelector, s.secret, s.logger) + if err != nil { + return nil, err + } } gpRes, err := gatewayClient.GetPath(ownerCtx, &provider.GetPathRequest{