jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Klimetschek <aklim...@adobe.com>
Subject Re: ACLs, GlobPattern and move
Date Fri, 30 Sep 2011 16:00:39 GMT
On 30.09.11 15:48, "Markus Joschko" <markus.joschko@gmail.com> wrote:
>I am not completely sure on this. At the moment I am totally confused
>about the behavior.
>With a mix of davex client and serverside sessions I've seen the
>described leakage: Only for newly created sessions the acls applied.
>On the other hand I just have written a test that works solely with an
>embedded jackrabbit and two sessions (admin & user) and here security
>seems to apply immediately on move, no leakage.

If you use Workspace.move() that this is working outside of a session (no
session.save() needed), i.e. acts like a new session.

>Should it really only work with newly created session then that is IMO
>a security risk.

Hmm, yes, maybe I am wrong :-)

>In a setup like /departmentA/topsecret where topsecret is denied in
>rep:glob, topsecret should certainly not be visible to anyone even
>when the department is moved to /departmentB.



Alexander Klimetschek
Developer // Adobe (Day) // Berlin - Basel

View raw message