jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-1613) REMOVE access is not checked when moving a node
Date Fri, 21 Nov 2008 15:53:44 GMT

    [ https://issues.apache.org/jira/browse/JCR-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649689#action_12649689

angela commented on JCR-1613:

When moving a node using Session.move() the moved node doesn't get marked as removed (as it
would be upon Node.remove). Since the permissions are checked based on the state modifications
upon save() only, the check for REMOVE permission is omitted.

However: The same test being execute with a Workspace.move(String, String) would fail, as
the BatchedItemOperations explicitely check for both: REMOVE permission on the target node
and ADD_NODE permission on the destination parent.

For consistency between Session.move() and Workspace.move() i would opt for adding the corresponding
permission check to Session.move(). 

> REMOVE access is not checked when moving a node
> -----------------------------------------------
>                 Key: JCR-1613
>                 URL: https://issues.apache.org/jira/browse/JCR-1613
>             Project: Jackrabbit
>          Issue Type: Bug
>          Components: jackrabbit-core
>    Affects Versions: core 1.4.4
>            Reporter: Roman Puchkovskiy
>         Attachments: test-remove-access.zip
> When a node cannot be removed because AccessManager does not allow this, it still can
be moved (using Session.move()).

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message