jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Updated: (JCR-2418) Read permission on parent node required to access an item's definition
Date Wed, 02 Dec 2009 10:04:20 GMT

     [ https://issues.apache.org/jira/browse/JCR-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

angela updated JCR-2418:

    Attachment: JCR-2418.patch

patch modifying ItemManager#getDefinitiion(NodeState) and #getDefinition(PropertyState) replacing
getItem(NodeId parentId) by calls that omit the permission check.
and 2 tests cases:
a) node and it's definition is accessible even if the parent cannot be read
b) child nodes can be added to node B even B's parent A cannot be read

> Read permission on parent node required to access an item's definition
> ----------------------------------------------------------------------
>                 Key: JCR-2418
>                 URL: https://issues.apache.org/jira/browse/JCR-2418
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core
>            Reporter: angela
>         Attachments: JCR-2418.patch
> If a session is granted all permissions on a given item B but lacks permission to read
it's parent node A an attempt to
> access the definition of B by means of Node.getDefinition or Property.getDefinition will
fail with AccessDeniedException.
> Similarly, the same session will not be able to modify that item B - e.g. add a child
node in case it was a node - since implementation e.g. checks of that
> item B isn't protected, which is determined by looking at the definition.
> My feeling is, that the item definition should be accessible even if the parent node
cannot be read.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message