You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by tr...@apache.org on 2015/06/02 19:12:41 UTC

svn commit: r1683143 - in /jackrabbit/oak/branches/1.2/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/permission/ test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/

Author: tripod
Date: Tue Jun  2 17:12:41 2015
New Revision: 1683143

URL: http://svn.apache.org/r1683143
Log:
OAK-2933 AccessDenied when modifying transiently moved item with too many ACEs

Added:
    jackrabbit/oak/branches/1.2/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/MoveWithoutEntryCacheTest.java
Modified:
    jackrabbit/oak/branches/1.2/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java

Modified: jackrabbit/oak/branches/1.2/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java?rev=1683143&r1=1683142&r2=1683143&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.2/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java (original)
+++ jackrabbit/oak/branches/1.2/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java Tue Jun  2 17:12:41 2015
@@ -75,10 +75,11 @@ public class MoveAwarePermissionValidato
     private Validator visibleValidator(@Nonnull Tree source,
                                        @Nonnull Tree dest) {
         // TODO improve: avoid calculating the 'before' permissions in case the current parent permissions already point to the correct tree.
-        ImmutableTree parent = (ImmutableTree) moveCtx.rootBefore.getTree("/");
-        TreePermission tp = getPermissionProvider().getTreePermission(parent, TreePermission.EMPTY);
+        ImmutableTree immutableTree = (ImmutableTree) moveCtx.rootBefore.getTree("/");
+        TreePermission tp = getPermissionProvider().getTreePermission(immutableTree, TreePermission.EMPTY);
         for (String n : PathUtils.elements(source.getPath())) {
-            tp = tp.getChildPermission(n, parent.getChild(n).getNodeState());
+            immutableTree = immutableTree.getChild(n);
+            tp = tp.getChildPermission(n, immutableTree.getNodeState());
         }
         Validator validator = createValidator(source, dest, tp, this);
         return new VisibleValidator(validator, true, false);

Added: jackrabbit/oak/branches/1.2/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/MoveWithoutEntryCacheTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.2/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/MoveWithoutEntryCacheTest.java?rev=1683143&view=auto
==============================================================================
--- jackrabbit/oak/branches/1.2/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/MoveWithoutEntryCacheTest.java (added)
+++ jackrabbit/oak/branches/1.2/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/MoveWithoutEntryCacheTest.java Tue Jun  2 17:12:41 2015
@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.evaluation;
+
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Test;
+
+/**
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-2933">OAK-2933</a>
+ */
+public class MoveWithoutEntryCacheTest extends AbstractOakCoreTest {
+    @Override
+    public void before() throws Exception {
+        super.before();
+
+        setupPermission("/", testPrincipal, true, PrivilegeConstants.JCR_READ);
+    }
+
+    @Override
+    public void after() throws Exception {
+        super.after();
+    }
+
+    @Override
+    protected ConfigurationParameters getSecurityConfigParameters() {
+        return ConfigurationParameters.of(AuthorizationConfiguration.NAME, ConfigurationParameters.of("eagerCacheSize", 0));
+    }
+
+    /**
+     * Similar to {@code org.apache.jackrabbit.oak.jcr.security.authorization.SessionMoveTest.testMoveAndAddProperty2()}
+     * without having a permission-entry cache.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testMoveAndAddProperty2() throws Exception {
+        setupPermission("/a/b", testPrincipal, true,
+                PrivilegeConstants.JCR_REMOVE_NODE,
+                PrivilegeConstants.JCR_REMOVE_CHILD_NODES,
+                PrivilegeConstants.REP_ADD_PROPERTIES);
+        setupPermission("/a/bb", testPrincipal, true,
+                PrivilegeConstants.JCR_ADD_CHILD_NODES,
+                PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT);
+
+        String siblingDestPath = "/a/bb/destination";
+
+        Root testRoot = getTestRoot();
+        testRoot.move("/a/b/c", siblingDestPath);
+
+        Tree destTree = testRoot.getTree(siblingDestPath);
+        destTree.setProperty("newProp", "val");
+        testRoot.commit();
+    }
+
+    /**
+     * Same as {@code org.apache.jackrabbit.oak.jcr.security.authorization.SessionMoveTest.testMoveAndRemoveProperty2()}
+     * without having a permission-entry cache.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testMoveAndRemoveProperty2() throws Exception {
+        setupPermission("/a/b", testPrincipal, true,
+                PrivilegeConstants.JCR_REMOVE_NODE,
+                PrivilegeConstants.JCR_REMOVE_CHILD_NODES,
+                PrivilegeConstants.REP_REMOVE_PROPERTIES);
+        setupPermission("/a/bb", testPrincipal, true,
+                PrivilegeConstants.JCR_ADD_CHILD_NODES,
+                PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT);
+
+        String siblingDestPath = "/a/bb/destination";
+
+        Root testRoot = getTestRoot();
+        testRoot.move("/a/b/c", siblingDestPath);
+
+        Tree destTree = testRoot.getTree(siblingDestPath);
+        destTree.removeProperty("cProp");
+        testRoot.commit();
+    }
+}
\ No newline at end of file