jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Updated: (JCR-2418) Read permission on parent node required to access an item's definition
Date Wed, 02 Dec 2009 10:04:20 GMT

     [ https://issues.apache.org/jira/browse/JCR-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

angela updated JCR-2418:
------------------------

    Attachment: JCR-2418.patch

patch modifying ItemManager#getDefinitiion(NodeState) and #getDefinition(PropertyState) replacing
getItem(NodeId parentId) by calls that omit the permission check.
and 2 tests cases:
a) node and it's definition is accessible even if the parent cannot be read
b) child nodes can be added to node B even B's parent A cannot be read

> Read permission on parent node required to access an item's definition
> ----------------------------------------------------------------------
>
>                 Key: JCR-2418
>                 URL: https://issues.apache.org/jira/browse/JCR-2418
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core
>            Reporter: angela
>         Attachments: JCR-2418.patch
>
>
> If a session is granted all permissions on a given item B but lacks permission to read
it's parent node A an attempt to
> access the definition of B by means of Node.getDefinition or Property.getDefinition will
fail with AccessDeniedException.
> Similarly, the same session will not be able to modify that item B - e.g. add a child
node in case it was a node - since implementation e.g. checks of that
> item B isn't protected, which is determined by looking at the definition.
> My feeling is, that the item definition should be accessible even if the parent node
cannot be read.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message