You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Marcel Reutegger (JIRA)" <ji...@apache.org> on 2011/07/01 00:53:28 UTC

[jira] [Updated] (JCR-3007) setProperty access control evaluation does not properly cope with XA transactions

     [ https://issues.apache.org/jira/browse/JCR-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marcel Reutegger updated JCR-3007:
----------------------------------

    Fix Version/s: 2.2.8

Merged into 2.2 branch in revision 1141745

> setProperty access control evaluation does not properly cope with XA transactions
> ---------------------------------------------------------------------------------
>
>                 Key: JCR-3007
>                 URL: https://issues.apache.org/jira/browse/JCR-3007
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core
>    Affects Versions: 2.2.7
>            Reporter: Lars Krapf
>              Labels: jackrabbit-core,, security,, transactions
>             Fix For: 2.2.8, 2.3.0
>
>         Attachments: transaction.patch
>
>
> This is another instance of the problems with ACL evaluation within transactions described in https://issues.apache.org/jira/browse/JCR-2999.
> In this case PropertyImpl#getParent() called from PropertyImpl#checkSetValue() is trying to check read permissions of the yet uncommited parent and thus fails with an ItemNotFound exception.
> The problem is reproducible with the following test:
> public void testTransaction() throws Exception {
>         // make sure testUser has all privileges
>         Privilege[] privileges = privilegesFromName(Privilege.JCR_ALL);
>         givePrivileges(path, privileges, getRestrictions(superuser, path));
>         // create new node and lock it
>         Session s = getTestSession();
>         UserTransaction utx = new UserTransactionImpl(s);
>         utx.begin();
>         // add node and save it
>         Node n = s.getNode(childNPath);
>         if (n.hasNode(nodeName1)) {
>             Node c = n.getNode(nodeName1);
>             c.remove();
>             s.save();
>         }
>         // create node and save
>         Node n2 = n.addNode(nodeName1);
>         s.save(); // -> node is NEW -> no failure
>         // set a property on a child node of an uncommited parent
>         n2.setProperty(propertyName1, "testSetProperty");
>         s.save();  // -> fail because PropertyImpl#getParent called from PropertyImpl#checkSetValue
>                        //    was checking read permission on the not yet commited parent
>         // commit
>         utx.commit();
>     }

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira