Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0BC92200B64 for ; Tue, 2 Aug 2016 17:44:23 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0A7C6160A76; Tue, 2 Aug 2016 15:44:23 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 5E2FC160A65 for ; Tue, 2 Aug 2016 17:44:22 +0200 (CEST) Received: (qmail 2113 invoked by uid 500); 2 Aug 2016 15:44:21 -0000 Mailing-List: contact oak-issues-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-issues@jackrabbit.apache.org Received: (qmail 1819 invoked by uid 99); 2 Aug 2016 15:44:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Aug 2016 15:44:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id A1C692C0E38 for ; Tue, 2 Aug 2016 15:44:20 +0000 (UTC) Date: Tue, 2 Aug 2016 15:44:20 +0000 (UTC) From: "Marco Piovesana (JIRA)" To: oak-issues@jackrabbit.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (OAK-4632) User with with just JCR_READ privilege can delete a node MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 02 Aug 2016 15:44:23 -0000 Marco Piovesana created OAK-4632: ------------------------------------ Summary: User with with just JCR_READ privilege can delete a node Key: OAK-4632 URL: https://issues.apache.org/jira/browse/OAK-4632 Project: Jackrabbit Oak Issue Type: Bug Components: core Affects Versions: 1.4.5 Reporter: Marco Piovesana I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. Am I doing something wrong? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)