jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting (JIRA)" <j...@apache.org>
Subject [jira] Updated: (JCR-1743) Session.checkPermission: add_node and set_property evaluation are not handled differently
Date Mon, 29 Sep 2008 08:50:44 GMT

     [ https://issues.apache.org/jira/browse/JCR-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jukka Zitting updated JCR-1743:
-------------------------------

    Fix Version/s:     (was: core 1.4.6)

This is actually not just a Session.checkPermission issue, it also affects ItemImpl.save where
we also check the permissions. We should keep checkPermission in line with the actual permission
checks in save().

The ItemImpl.save method never checks permissions on new items, it just allows the addition
of a property of a node if it's OK to modify the parent.

If we modify this, should we also change the way child node additions are handled?

I'm untagging this from 1.4.6 as it's not clear how this should be handled. We can create
a 1.4.7 release later once there's consensus on what to do.

> Session.checkPermission: add_node and set_property evaluation are not handled differently
> -----------------------------------------------------------------------------------------
>
>                 Key: JCR-1743
>                 URL: https://issues.apache.org/jira/browse/JCR-1743
>             Project: Jackrabbit
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>    Affects Versions: core 1.4.5
>            Reporter: Tobias Bocanegra
>            Assignee: Jukka Zitting
>         Attachments: JCR-1743-alternative.patch, JCR-1743.patch
>
>
> if the property does not exist yet, Session.checkPermission invokes an AccessManager.checkPermission(...
WRITE) for both cases. i.e. the access manager has no means for handle a "add_node" differently
from a "set_property" 
> suggest to create a fake property id for the case where the property does not exist.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message