You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Ray Davis (JIRA)" <ji...@apache.org> on 2010/10/28 20:52:20 UTC

[jira] Created: (JCR-2801) Inconsistent access to EveryonePrincipal

Inconsistent access to EveryonePrincipal
----------------------------------------

                 Key: JCR-2801
                 URL: https://issues.apache.org/jira/browse/JCR-2801
             Project: Jackrabbit Content Repository
          Issue Type: Bug
          Components: jackrabbit-core
    Affects Versions: 2.1.1
            Reporter: Ray Davis


Jackrabbit's PrincipalManagerImpl lets any session retrieve the EveryonePrincipal (whose name is "everyone") via the getEveryone() method. An administrative session which calls getPrincipal("everyone") naturally retrieves the same object. But a non-administrative session which calls getPrincipal("everyone") will instead receive null.

The problem is caused by the DefaultPrincipalProvider, which refers to the EveryonePrincipal in many other places (for example, always adding it to getGroupMembership results), but does not allow for it in the canReadPrincipal check.

This makes it more difficult for clients to manage default Jackrabbit ACLs. In Apache Sling, for example, a non-administrative user with all privileges on a Node will not be able to use Sling's usual ModifyAceServlet to deny "everyone" access to that Node.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.