You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2016/06/10 08:50:20 UTC

[jira] [Created] (OAK-4459) Duplicate and case sensitive comparison of lockowner with user id

angela created OAK-4459:
---------------------------

             Summary: Duplicate and case sensitive comparison of lockowner with user id
                 Key: OAK-4459
                 URL: https://issues.apache.org/jira/browse/OAK-4459
             Project: Jackrabbit Oak
          Issue Type: Technical task
          Components: jcr
            Reporter: angela


the current lock implementation in oak-jcr contains multiple places where the user id stored with the editing session is compared to lock specific information (lock owner information).
IMO that should be streamlined to make sure the code works consistent across the various methods (which it currently doesn't see OAK-4458).

also it looks troublesome to me that the comparison is case sensitive as the login by default is not case sensitive... alternatively compare it to a value that is known to be immutable such as e.g. the user ID as stored in the user management (and only fall back to session id, which might be {{null}} btw) if no user exists or user management is not supported.

in general i find it quite problematic to base any kind of verification based on the {{jcr:lockOwner}} implementation, which is _NOT_ intended to be used for that purpose (see specification)... if the locking feature was properly implemented, we would not base the ability to unlock a given node based on information that can be application supplied such as the {{jcr:lockOwner}} property but rather make sure we have internal ways that allows for proper verification.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)