jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Joschko <markus.josc...@gmail.com>
Subject Re: ACLs, GlobPattern and move
Date Fri, 30 Sep 2011 13:48:14 GMT
On Fri, Sep 30, 2011 at 3:06 PM, Alexander Klimetschek
<aklimets@adobe.com> wrote:
> On 28.09.11 09:34, "Markus Joschko" <markus.joschko@gmail.com> wrote:
>>Yep, I tried a refresh on the session with no effect. I also fetch the
>>node everytime again with the getNode(path) method on the session.
>>Does anybody know if there is a difference in the permission handling
>>between CRX and jackrabbit?
>>How are the permissions cached and when is the cache invalidated?
> AFAIK if you change permissions, they will only apply to newly created
> sessions.

I am not completely sure on this. At the moment I am totally confused
about the behavior.
With a mix of davex client and serverside sessions I've seen the
described leakage: Only for newly created sessions the acls applied.

On the other hand I just have written a test that works solely with an
embedded jackrabbit and two sessions (admin & user) and here security
seems to apply immediately on move, no leakage.

Should it really only work with newly created session then that is IMO
a security risk.
In a setup like /departmentA/topsecret where topsecret is denied in
rep:glob, topsecret should certainly not be visible to anyone even
when the department is moved to /departmentB.

As I said, I can not reproduce it programmatically but I am a bit
uneasy about that at the moment.


> Cheers,
> Alex
> --
> Alexander Klimetschek
> Developer // Adobe (Day) // Berlin - Basel

View raw message