You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Thomas Mueller (JIRA)" <ji...@apache.org> on 2013/07/11 15:25:48 UTC

[jira] [Created] (OAK-897) Query+Security: Ensure joins can not reveal existence of invisible nodes

Thomas Mueller created OAK-897:
----------------------------------

             Summary: Query+Security: Ensure joins can not reveal existence of invisible nodes
                 Key: OAK-897
                 URL: https://issues.apache.org/jira/browse/OAK-897
             Project: Jackrabbit Oak
          Issue Type: Test
            Reporter: Thomas Mueller
            Assignee: Thomas Mueller
            Priority: Minor


Queries must not see invisible nodes, but a query must also not reveal the existence of an invisible nodes. Example:

{code}
select a.* from [nt:base] as a 
inner join [nt:base] as b 
on isdescendantnode(b, a)
where a.[jcr:path]=$path
{code}

The above query must only return nodes from selector "a" if the descendant "b" is also visible.

This is currently working as expected as far as I see, but there is no test yet.
Indexes don't know access rights (which is good), so that the query engine must check that the joined node is also visible, even if no data from that node is selected. In the example above, it is not enough to verify the nodes of selector "a" are visible: it is important to check access rights on selector "b" as well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira