You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Thomas Mueller (JIRA)" <ji...@apache.org> on 2013/07/11 15:25:48 UTC
[jira] [Created] (OAK-897) Query+Security: Ensure joins can not
reveal existence of invisible nodes
Thomas Mueller created OAK-897:
----------------------------------
Summary: Query+Security: Ensure joins can not reveal existence of invisible nodes
Key: OAK-897
URL: https://issues.apache.org/jira/browse/OAK-897
Project: Jackrabbit Oak
Issue Type: Test
Reporter: Thomas Mueller
Assignee: Thomas Mueller
Priority: Minor
Queries must not see invisible nodes, but a query must also not reveal the existence of an invisible nodes. Example:
{code}
select a.* from [nt:base] as a
inner join [nt:base] as b
on isdescendantnode(b, a)
where a.[jcr:path]=$path
{code}
The above query must only return nodes from selector "a" if the descendant "b" is also visible.
This is currently working as expected as far as I see, but there is no test yet.
Indexes don't know access rights (which is good), so that the query engine must check that the joined node is also visible, even if no data from that node is selected. In the example above, it is not enough to verify the nodes of selector "a" are visible: it is important to check access rights on selector "b" as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira