You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Jukka Zitting (JIRA)" <ji...@apache.org> on 2008/09/23 17:29:44 UTC
[jira] Updated: (JCR-1743) Session.checkPermission: add_node and
set_property evaluation are not handled differently
[ https://issues.apache.org/jira/browse/JCR-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jukka Zitting updated JCR-1743:
-------------------------------
Attachment: JCR-1743.patch
Proposed patch that creates a new PropertyId for the non-existing property and uses that in the AccessManager.checkPermission call.
While I was at it, I also added safeguards against paths like /path/to/property/property or /path/to/new-property-that-has-the-same-name-as-an-existing-node.
The trouble with this patch is that it may break existing AccessManager implementations that expect checkPermission calls for new properties to be WRITE requests for the parent node. Perhaps we should add a marker interface or something similar that an AccessManager that does need this functionality must implement. This way we could keep full backwards compatibility at the expense of some extra trouble.
Note that all this will only affect the 1.4 branch.
> Session.checkPermission: add_node and set_property evaluation are not handled differently
> -----------------------------------------------------------------------------------------
>
> Key: JCR-1743
> URL: https://issues.apache.org/jira/browse/JCR-1743
> Project: Jackrabbit
> Issue Type: Bug
> Affects Versions: core 1.4.5
> Reporter: Tobias Bocanegra
> Assignee: Jukka Zitting
> Fix For: core 1.4.6
>
> Attachments: JCR-1743.patch
>
>
> if the property does not exist yet, Session.checkPermission invokes an AccessManager.checkPermission(... WRITE) for both cases. i.e. the access manager has no means for handle a "add_node" differently from a "set_property"
> suggest to create a fake property id for the case where the property does not exist.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.