jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (Resolved) (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (JCR-2774) Access control for repository level API operations
Date Fri, 30 Sep 2011 14:06:45 GMT

     [ https://issues.apache.org/jira/browse/JCR-2774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

angela resolved JCR-2774.

       Resolution: Fixed
    Fix Version/s: 2.3.1

done for the default, resource based access control implementation.
apart from the repository operations defined by jcr api the registration of new privileges
is controlled by the same mechanism replacing hardcoded check
for editing session being 'admin'
> Access control for repository level API operations
> --------------------------------------------------
>                 Key: JCR-2774
>                 URL: https://issues.apache.org/jira/browse/JCR-2774
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core, security
>            Reporter: angela
>            Assignee: angela
>             Fix For: 2.3.1
> it is a open issue (i guess since jackrabbit 1.0) that the repository level write operations
lack any kind of permission check.
> this issues has been raised during specification of jsr 283 [1] but didn't made it into
the specification (left to implementation).
> in jackrabbit 2.0 this affects the following parts of the API
> - namespace registration
> - node type registration
> - workspace creation/removal
> based on a issue reported by david ("currently an anonymous user can write the namespace
registry which is probably
> undesirable [...]"), we could at least add some minimal restrictions. In addition i would
like to take up this discussion
> for jsr 333.
> [1] https://jsr-283.dev.java.net/issues/show_bug.cgi?id=486

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message