jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bart van der Schans (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-3364) Moving of nodes requires read access to the whole tree
Date Wed, 04 Jul 2012 09:38:34 GMT

    [ https://issues.apache.org/jira/browse/JCR-3364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13406394#comment-13406394

Bart van der Schans commented on JCR-3364:

Hi Thomas,

This might be a bit tricky. The only way to prevent the creation of cyclic paths (that I can
see) is that all parent nodes of the target are pulled in the transient session of the user.
For example in your example:

- /a/aa
- /b

move /a to /b
results in:
- /b/a/aa

move b to /a/aa
results in:
- /a/aa/b

sess2.save() <- should fail, because that would create a cycle (parent of  a is no longer
root but /b)

The problem is that the second session cannot "check" this since if it has no read access
to node a. So (at least in the current implementation) you need read access to all parent
nodes of the target.

I suspect this is just one of the problems with not being able to read the parent nodes. I
haven't really tried it, but item.getPath() should fail as well if you can't read all parent

> Moving of nodes requires read access to the whole tree 
> -------------------------------------------------------
>                 Key: JCR-3364
>                 URL: https://issues.apache.org/jira/browse/JCR-3364
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core
>    Affects Versions: 2.2.12, 2.4.2, 2.5
>            Reporter: Thomas März
> Before JCR-3291 was fixed, Session#move(String, String) could move nodes without having
read-access to the whole tree.
> - Deny jcr:read on /home and grant jcr:all on /home/users/usera to usera
> - Move nodes from /home/users/usera/from to /home/users/usera/to with usera's session
> - AccessDeniedException is thrown
> http://article.gmane.org/gmane.comp.apache.jackrabbit.user/18892

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message