You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2013/05/30 12:19:21 UTC

[jira] [Comment Edited] (OAK-753) TreeImpl exposes hidden child trees

    [ https://issues.apache.org/jira/browse/OAK-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13670199#comment-13670199 ] 

angela edited comment on OAK-753 at 5/30/13 10:18 AM:
------------------------------------------------------

no, we can't for security reasons. the OAK API should not expose information that
are not accessible to user in JCR. didn't we discussed that multiple times in the past?
exposing the OAK_CHILD_ORDER property we provide information about nodes that
otherwise might not be visible to a given user.

apart from that we have to find a generic solution for all hidden items not just
OAK_CHILD_ORDER. currently hidden items are not protected by access control at all
and there is no way to make them access controlled.
                
      was (Author: anchela):
    no, we can't for security reasons. the OAK API should not expose information that
are not accessible to user in JCR. didn't we discussed that multiple times in the past?
exposing the OAK_CHILD_ORDER property we provide information about nodes that
otherwise might not be visible to a given user.

apart from that we have to find a generic solution for all hidden items not just
OAK_CHILD_ORDER.
                  
> TreeImpl exposes hidden child trees
> -----------------------------------
>
>                 Key: OAK-753
>                 URL: https://issues.apache.org/jira/browse/OAK-753
>             Project: Jackrabbit Oak
>          Issue Type: Task
>          Components: core
>            Reporter: angela
>
> while we are having an extra test to prevent hidden property states
> from being exposed on the oak-api, we forgot to add the same check for
> child trees.
> while adding the test is pretty straight forward it would have an impact
> not only on #getChild(String) but also on
> - #getChildren
> - #getChildrenCount
> - #getOrderedChildNames
> - ...
> the simple check without addressing the other methods (already taking OAK-709 into account):
> {code}
> private boolean canRead(TreeImpl tree) {
>         return tree.getNodeState().exists() && !NodeStateUtils.isHidden(tree.getName());
>     }
> {code}
> adding this test will cause the following tests to fail
> - o.a.j.test.nodetype.NodeTypeTest#testGetPrimaryItemName which traverses the
>   repository instead of using a configured node type to setup an appropriate test and fails with the short-cut for childcnt being 1 in NodeDelegate
> - TypeEditorTest#ignoreHidden which tries to create hidden nodes using
>   the oak api (see also OAK-695)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira