jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2754) jcr:nodeTypeManagement necessary for addNode("name", "type")?
Date Mon, 04 Oct 2010 07:25:33 GMT

    [ https://issues.apache.org/jira/browse/JCR-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917501#action_12917501

angela commented on JCR-2754:

i think the description of the privilege is not accurate for the following reason. initially
the access control mechanism to control the creation, modification and removal of properties
was jcr:modifyProperties ("the privilege to create, modify and remove the properties of a
node"). This equally affected protected and non-protected properties. In a later stage of
jsr-283 this approach has been questioned [1] and the EG decided to define specific privileges
for those protected properties set (not only changed) by JCR API methods. in other words jcr:nodeTypeManagement
is a replacement for jcr:modifyProperty for the protected properties jcr:mixinTypes and jcr:primaryType.
If in case of the jcr:primaryType it's functionality was limited to Node.setPrimaryType the
API consumer could just work around the missing privilege by always using Node.addNode(String,
String) or by using export-import functionality to change the
primary type later on. from my point of view we should resolve this issue wontfix and fix
the specification.

[1] https://jsr-283.dev.java.net/issues/show_bug.cgi?id=486

> jcr:nodeTypeManagement necessary for addNode("name", "type")?
> -------------------------------------------------------------
>                 Key: JCR-2754
>                 URL: https://issues.apache.org/jira/browse/JCR-2754
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>    Affects Versions: 2.0.0, 2.1.0, 2.1.1
>            Reporter: Jukka Zitting
>            Assignee: angela
>            Priority: Minor
> Our current implementation of addNode("name", "type") requires the jcr:nodeTypeManagement
permission, that's defined by JSR 283 as the "privilege to add and remove mixin node types
and change the primary node type of a node".
> In a private discussion this implementation was questioned, based on the argument that
the spec seems to only refer to "changing" the primary type, not specifying it during creation.
> Personally I don't care too much either way, and since the only harm done by the current
implementation seems to be some confusion, I'd rather not change the implementation to prevent
backwards compatibility issues.
> Anyway, I'm filing this issue to solicit feedback from the community. If the consensus
is that addNode("name", "type") shouldn't need the jcr:nodeTypeManagement permission, then
we should clarify the spec in JSR 333 and make this change in Jackrabbit 3.0. Otherwise we'll
just resolve this issue as Won't Fix.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message