You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2013/05/30 12:19:21 UTC
[jira] [Comment Edited] (OAK-753) TreeImpl exposes hidden child
trees
[ https://issues.apache.org/jira/browse/OAK-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13670199#comment-13670199 ]
angela edited comment on OAK-753 at 5/30/13 10:18 AM:
------------------------------------------------------
no, we can't for security reasons. the OAK API should not expose information that
are not accessible to user in JCR. didn't we discussed that multiple times in the past?
exposing the OAK_CHILD_ORDER property we provide information about nodes that
otherwise might not be visible to a given user.
apart from that we have to find a generic solution for all hidden items not just
OAK_CHILD_ORDER. currently hidden items are not protected by access control at all
and there is no way to make them access controlled.
was (Author: anchela):
no, we can't for security reasons. the OAK API should not expose information that
are not accessible to user in JCR. didn't we discussed that multiple times in the past?
exposing the OAK_CHILD_ORDER property we provide information about nodes that
otherwise might not be visible to a given user.
apart from that we have to find a generic solution for all hidden items not just
OAK_CHILD_ORDER.
> TreeImpl exposes hidden child trees
> -----------------------------------
>
> Key: OAK-753
> URL: https://issues.apache.org/jira/browse/OAK-753
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: core
> Reporter: angela
>
> while we are having an extra test to prevent hidden property states
> from being exposed on the oak-api, we forgot to add the same check for
> child trees.
> while adding the test is pretty straight forward it would have an impact
> not only on #getChild(String) but also on
> - #getChildren
> - #getChildrenCount
> - #getOrderedChildNames
> - ...
> the simple check without addressing the other methods (already taking OAK-709 into account):
> {code}
> private boolean canRead(TreeImpl tree) {
> return tree.getNodeState().exists() && !NodeStateUtils.isHidden(tree.getName());
> }
> {code}
> adding this test will cause the following tests to fail
> - o.a.j.test.nodetype.NodeTypeTest#testGetPrimaryItemName which traverses the
> repository instead of using a configured node type to setup an appropriate test and fails with the short-cut for childcnt being 1 in NodeDelegate
> - TypeEditorTest#ignoreHidden which tries to create hidden nodes using
> the oak api (see also OAK-695)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira