jackrabbit-oak-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jukka Zitting <jukka.zitt...@gmail.com>
Subject Can the children of a non-visible node be listed?
Date Mon, 22 Apr 2013 07:47:00 GMT

A question especially to Angela, but perhaps of interest also to others.

Consider a content structure where a user has read access to a
/foo/bar node, but not its parent, the /foo node. Additionally, the
user also has read access to a /foo/baz property. In such a case the
the following statements should work:


But the following statement would throw an exception:


So far so good. Now for the question:

Given that the "bar" node and the "baz" property are visible, should
it be possible to acquire Node- and PropertyIterators from the "/foo"
parent, that contain those items? In other words, should the following
statements (or their variants) work:

    session.getNode("/foo").getNodes(); // contains "bar"
    session.getNode("/foo").getProperties(); // contains "baz"

Intuitively I'd say that these should *not* work, i.e. children of a
non-accessible parent can't be iterated, only accessed directly by

That's how the post-OAK-709 NodeState contract is defined, but the
current SecureNodeState implementation works differently. Before
fixing the SecureNodeState implementation I'd like to verify that my
interpretation of access rights is correct and we won't run in to
backwards compatibility issues with it.


Jukka Zitting

View raw message