Return-Path: 
 <users-return-7453-apmail-jackrabbit-users-archive=jackrabbit.apache.org@jackrabbit.apache.org>
Delivered-To: apmail-jackrabbit-users-archive@locus.apache.org
Received: (qmail 68711 invoked from network); 17 May 2008 15:51:31 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 17 May 2008 15:51:31 -0000
Received: (qmail 6176 invoked by uid 500); 17 May 2008 15:51:31 -0000
Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org
Received: (qmail 6162 invoked by uid 500); 17 May 2008 15:51:31 -0000
Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@jackrabbit.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@jackrabbit.apache.org>
List-Post: <mailto:users@jackrabbit.apache.org>
List-Id: <users.jackrabbit.apache.org>
Reply-To: users@jackrabbit.apache.org
Delivered-To: mailing list users@jackrabbit.apache.org
Received: (qmail 6151 invoked by uid 99); 17 May 2008 15:51:31 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 May 2008 08:51:31 -0700
X-ASF-Spam-Status: No, hits=2.6 required=10.0
	tests=DNS_FROM_OPENWHOIS,SPF_HELO_PASS,SPF_PASS,WHOIS_MYPRIVREG
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 May 2008 15:50:43 +0000
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <lists@nabble.com>)
	id 1JxOgU-0002OR-0I
	for users@jackrabbit.apache.org; Sat, 17 May 2008 08:50:58 -0700
Message-ID: <17293191.post@talk.nabble.com>
Date: Sat, 17 May 2008 08:50:58 -0700 (PDT)
From: Roman Puchkovskiy <roman.puchkovskiy@blandware.com>
To: users@jackrabbit.apache.org
Subject: REMOVE access is not ckecked when moving a node
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: roman.puchkovskiy@blandware.com
X-Virus-Checked: Checked by ClamAV on apache.org


Hi.

When a node is moved using session.move(), should REMOVE access be checked?
It seems that it's not checked.
When a node cannot be removed because AccessManager does not allow this, it
still can be moved.

Here's a test:

    public void testMoveNode() throws Exception {
        Node root = session.getRootNode();
        Node nodeToMove = root.addNode("nodeToMove");
        session.save();
        session.move(nodeToMove.getPath(), "/someNewPath");
        try {
            session.save();
            fail("Move should not be successful!");
        } catch (AccessDeniedException e) {
            // expected
        }
    }

While AccessManager's isGranted() method is:

    public boolean isGranted(ItemId id, int permissions)
            throws ItemNotFoundException, RepositoryException {
        // don't allow to remove any items
        if ((permissions & REMOVE) == REMOVE) {
            return false;
        }
        return true;
    }

For comparison: following test passes (it removes a node instead of moving):

    public void testDeleteNode() throws Exception {
        Node root = session.getRootNode();
        Node nodeToDelete = root.addNode("nodeToDelete");
        session.save();
        nodeToDelete.remove();
        try {
            session.save();
            fail("Removal should not be successful!");
        } catch (AccessDeniedException e) {
            // expected
        }
    }

Maven project with tests is here:
http://rpuch.narod.ru/test-remove-access.zip
-- 
View this message in context: http://www.nabble.com/REMOVE-access-is-not-ckecked-when-moving-a-node-tp17293191p17293191.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.