Return-Path: Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: (qmail 93138 invoked from network); 23 Sep 2008 15:30:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 23 Sep 2008 15:30:05 -0000 Received: (qmail 62435 invoked by uid 500); 23 Sep 2008 15:30:02 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 62402 invoked by uid 500); 23 Sep 2008 15:30:02 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 62391 invoked by uid 99); 23 Sep 2008 15:30:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Sep 2008 08:30:02 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Sep 2008 15:29:10 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 40BBE234C1E3 for ; Tue, 23 Sep 2008 08:29:44 -0700 (PDT) Message-ID: <334330838.1222183784263.JavaMail.jira@brutus> Date: Tue, 23 Sep 2008 08:29:44 -0700 (PDT) From: "Jukka Zitting (JIRA)" To: dev@jackrabbit.apache.org Subject: [jira] Updated: (JCR-1743) Session.checkPermission: add_node and set_property evaluation are not handled differently In-Reply-To: <1570657304.1221832844256.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/JCR-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jukka Zitting updated JCR-1743: ------------------------------- Attachment: JCR-1743.patch Proposed patch that creates a new PropertyId for the non-existing property and uses that in the AccessManager.checkPermission call. While I was at it, I also added safeguards against paths like /path/to/property/property or /path/to/new-property-that-has-the-same-name-as-an-existing-node. The trouble with this patch is that it may break existing AccessManager implementations that expect checkPermission calls for new properties to be WRITE requests for the parent node. Perhaps we should add a marker interface or something similar that an AccessManager that does need this functionality must implement. This way we could keep full backwards compatibility at the expense of some extra trouble. Note that all this will only affect the 1.4 branch. > Session.checkPermission: add_node and set_property evaluation are not handled differently > ----------------------------------------------------------------------------------------- > > Key: JCR-1743 > URL: https://issues.apache.org/jira/browse/JCR-1743 > Project: Jackrabbit > Issue Type: Bug > Affects Versions: core 1.4.5 > Reporter: Tobias Bocanegra > Assignee: Jukka Zitting > Fix For: core 1.4.6 > > Attachments: JCR-1743.patch > > > if the property does not exist yet, Session.checkPermission invokes an AccessManager.checkPermission(... WRITE) for both cases. i.e. the access manager has no means for handle a "add_node" differently from a "set_property" > suggest to create a fake property id for the case where the property does not exist. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.