You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Marcel Reutegger (JIRA)" <ji...@apache.org> on 2011/07/01 00:53:28 UTC
[jira] [Updated] (JCR-3007) setProperty access control evaluation
does not properly cope with XA transactions
[ https://issues.apache.org/jira/browse/JCR-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcel Reutegger updated JCR-3007:
----------------------------------
Fix Version/s: 2.2.8
Merged into 2.2 branch in revision 1141745
> setProperty access control evaluation does not properly cope with XA transactions
> ---------------------------------------------------------------------------------
>
> Key: JCR-3007
> URL: https://issues.apache.org/jira/browse/JCR-3007
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Affects Versions: 2.2.7
> Reporter: Lars Krapf
> Labels: jackrabbit-core,, security,, transactions
> Fix For: 2.2.8, 2.3.0
>
> Attachments: transaction.patch
>
>
> This is another instance of the problems with ACL evaluation within transactions described in https://issues.apache.org/jira/browse/JCR-2999.
> In this case PropertyImpl#getParent() called from PropertyImpl#checkSetValue() is trying to check read permissions of the yet uncommited parent and thus fails with an ItemNotFound exception.
> The problem is reproducible with the following test:
> public void testTransaction() throws Exception {
> // make sure testUser has all privileges
> Privilege[] privileges = privilegesFromName(Privilege.JCR_ALL);
> givePrivileges(path, privileges, getRestrictions(superuser, path));
> // create new node and lock it
> Session s = getTestSession();
> UserTransaction utx = new UserTransactionImpl(s);
> utx.begin();
> // add node and save it
> Node n = s.getNode(childNPath);
> if (n.hasNode(nodeName1)) {
> Node c = n.getNode(nodeName1);
> c.remove();
> s.save();
> }
> // create node and save
> Node n2 = n.addNode(nodeName1);
> s.save(); // -> node is NEW -> no failure
> // set a property on a child node of an uncommited parent
> n2.setProperty(propertyName1, "testSetProperty");
> s.save(); // -> fail because PropertyImpl#getParent called from PropertyImpl#checkSetValue
> // was checking read permission on the not yet commited parent
> // commit
> utx.commit();
> }
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira