You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Jukka Zitting (JIRA)" <ji...@apache.org> on 2013/11/01 19:43:20 UTC

[jira] [Resolved] (OAK-1140) SecureNodeBuilder should use the base state for the security context

     [ https://issues.apache.org/jira/browse/OAK-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jukka Zitting resolved OAK-1140.
--------------------------------

       Resolution: Fixed
    Fix Version/s: 0.11
         Assignee: Jukka Zitting

Fixed in revision 1538018.

> SecureNodeBuilder should use the base state for the security context
> --------------------------------------------------------------------
>
>                 Key: OAK-1140
>                 URL: https://issues.apache.org/jira/browse/OAK-1140
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 0.10
>            Reporter: Jukka Zitting
>            Assignee: Jukka Zitting
>             Fix For: 0.11
>
>
> Currently the SecureNodeBuilder uses the current state that includes all transient changes when constructing the SecurityContext after a refresh.
> This is potentially troublesome, as we generally don't enforce write access controls on transient changes (they're only checked during save), and it might therefore be possible for a client to transiently modify the permissions and thus gain access to content that would otherwise be read-protected.
> To avoid worrying about such cases the SecureNodeBuilder should always use the base state (i.e. no transient modifications) for the SecurityContext.



--
This message was sent by Atlassian JIRA
(v6.1#6144)