jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ray Davis (JIRA)" <j...@apache.org>
Subject [jira] Created: (JCR-2801) Inconsistent access to EveryonePrincipal
Date Thu, 28 Oct 2010 18:52:20 GMT
Inconsistent access to EveryonePrincipal
----------------------------------------

                 Key: JCR-2801
                 URL: https://issues.apache.org/jira/browse/JCR-2801
             Project: Jackrabbit Content Repository
          Issue Type: Bug
          Components: jackrabbit-core
    Affects Versions: 2.1.1
            Reporter: Ray Davis


Jackrabbit's PrincipalManagerImpl lets any session retrieve the EveryonePrincipal (whose name
is "everyone") via the getEveryone() method. An administrative session which calls getPrincipal("everyone")
naturally retrieves the same object. But a non-administrative session which calls getPrincipal("everyone")
will instead receive null.

The problem is caused by the DefaultPrincipalProvider, which refers to the EveryonePrincipal
in many other places (for example, always adding it to getGroupMembership results), but does
not allow for it in the canReadPrincipal check.

This makes it more difficult for clients to manage default Jackrabbit ACLs. In Apache Sling,
for example, a non-administrative user with all privileges on a Node will not be able to use
Sling's usual ModifyAceServlet to deny "everyone" access to that Node.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message