jackrabbit-oak-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukas Eder <lukas.e...@gmail.com>
Subject Re: Can the children of a non-visible node be listed?
Date Mon, 22 Apr 2013 08:28:48 GMT
2013/4/22 Jukka Zitting <jukka.zitting@gmail.com>:
> Hi,
> A question especially to Angela, but perhaps of interest also to others.
> Consider a content structure where a user has read access to a
> /foo/bar node, but not its parent, the /foo node. Additionally, the
> user also has read access to a /foo/baz property. In such a case the
> the following statements should work:
>     session.getNode("/foo/bar");
>     session.getProperty("/foo/baz");
> But the following statement would throw an exception:
>     session.getNode("/foo");
> So far so good. Now for the question:
> Given that the "bar" node and the "baz" property are visible, should
> it be possible to acquire Node- and PropertyIterators from the "/foo"
> parent, that contain those items? In other words, should the following
> statements (or their variants) work:
>     session.getNode("/foo").getNodes(); // contains "bar"
>     session.getNode("/foo").getProperties(); // contains "baz"
> Intuitively I'd say that these should *not* work, i.e. children of a
> non-accessible parent can't be iterated, only accessed directly by
> path.

I had recently thought about something similar, in another context.
Specifically, should the following queries return "bar" or not?

    SELECT * FROM [nt:base] AS n


    SELECT * FROM [nt:base] AS n
    WHERE ISCHILDNODE(n, '/foo')

The behaviour of the above might be worth considering, as far as
backwards-compatibility is concerned.


> That's how the post-OAK-709 NodeState contract is defined, but the
> current SecureNodeState implementation works differently. Before
> fixing the SecureNodeState implementation I'd like to verify that my
> interpretation of access rights is correct and we won't run in to
> backwards compatibility issues with it.
> BR,
> Jukka Zitting

View raw message