From users-return-18983-apmail-jackrabbit-users-archive=jackrabbit.apache.org@jackrabbit.apache.org  Thu Jun 28 16:09:13 2012
Return-Path: <users-return-18983-apmail-jackrabbit-users-archive=jackrabbit.apache.org@jackrabbit.apache.org>
X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org
Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 170F39D36
	for <apmail-jackrabbit-users-archive@minotaur.apache.org>; Thu, 28 Jun 2012 16:09:13 +0000 (UTC)
Received: (qmail 88325 invoked by uid 500); 28 Jun 2012 16:09:12 -0000
Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org
Received: (qmail 88294 invoked by uid 500); 28 Jun 2012 16:09:12 -0000
Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@jackrabbit.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@jackrabbit.apache.org>
List-Post: <mailto:users@jackrabbit.apache.org>
List-Id: <users.jackrabbit.apache.org>
Reply-To: users@jackrabbit.apache.org
Delivered-To: mailing list users@jackrabbit.apache.org
Received: (qmail 88281 invoked by uid 99); 28 Jun 2012 16:09:12 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Jun 2012 16:09:12 +0000
X-ASF-Spam-Status: No, hits=2.2 required=5.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [85.13.132.85] (HELO dd7926.kasserver.com) (85.13.132.85)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Jun 2012 16:09:03 +0000
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170])
	by dd7926.kasserver.com (Postfix) with ESMTPSA id 51393260208
	for <users@jackrabbit.apache.org>; Thu, 28 Jun 2012 18:08:42 +0200 (CEST)
Received: by lbgc1 with SMTP id c1so7276712lbg.1
        for <users@jackrabbit.apache.org>; Thu, 28 Jun 2012 09:08:41 -0700 (PDT)
Received: by 10.112.46.198 with SMTP id x6mr1461568lbm.19.1340899721721; Thu,
 28 Jun 2012 09:08:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.11.65 with HTTP; Thu, 28 Jun 2012 09:08:21 -0700 (PDT)
From: =?UTF-8?B?VGhvbWFzIE3DpHJ6?= <thomas.maerz@primedo.com>
Date: Thu, 28 Jun 2012 18:08:21 +0200
Message-ID: <CALA8pV4y3UkNXf4RdfGjaiXQMEpbH7EAPCOAw4=7LjAE8qVJTQ@mail.gmail.com>
Subject: Moving of nodes requires read access to the whole tree
To: users@jackrabbit.apache.org
Content-Type: multipart/alternative; boundary=bcaec554060497b96a04c38a8b8c

--bcaec554060497b96a04c38a8b8c
Content-Type: text/plain; charset=UTF-8

Before JCR-3291 was fixed, Session#move(String, String) could move nodes
without having read-access to the whole tree.

- Deny jcr:read on /home and grant jcr:all on /home/users/usera to usera
- Move nodes from /home/users/usera/from to /home/users/usera/to with
usera's session
- AccessDeniedException is thrown

Is this by design or an oversight in JCR-3291?

--bcaec554060497b96a04c38a8b8c--