sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohit Arora (Jira)" <j...@apache.org>
Subject [jira] [Updated] (SLING-9212) Distribution.core checks for jcr:removeNode permissions on importer side for DELETE request
Date Tue, 17 Mar 2020 18:15:00 GMT

     [ https://issues.apache.org/jira/browse/SLING-9212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mohit Arora updated SLING-9212:
-------------------------------
    Fix Version/s: Content Distribution Core 0.4.4

> Distribution.core checks for jcr:removeNode permissions on importer side for DELETE request
> -------------------------------------------------------------------------------------------
>
>                 Key: SLING-9212
>                 URL: https://issues.apache.org/jira/browse/SLING-9212
>             Project: Sling
>          Issue Type: Bug
>          Components: Content Distribution
>            Reporter: Mohit Arora
>            Priority: Major
>             Fix For: Content Distribution Core 0.4.4
>
>
> When a resource is distributed from one endpoint to other with RequestType set to DELETE,
the execute method of SimpleDistributionAgent [checks the permissions for the passed resolver
on given path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175].
In case of DELETE request, apart from the [configured permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85],
it also checks for {{jcr:removeNode}} permissions for the user on the path. This check happens
on the exporter side but AFAIU, the actual deletion happens on the importer endpoint. The
content does not get deleted on exporter side. In that case, this permission check should
happen on importer side.
> cc - [~marett], [~ashishc]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message