You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Mohit Arora (Jira)" <ji...@apache.org> on 2020/03/17 18:15:00 UTC
[jira] [Updated] (SLING-9212) Distribution.core checks for
jcr:removeNode permissions on importer side for DELETE request
[ https://issues.apache.org/jira/browse/SLING-9212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mohit Arora updated SLING-9212:
-------------------------------
Fix Version/s: Content Distribution Core 0.4.4
> Distribution.core checks for jcr:removeNode permissions on importer side for DELETE request
> -------------------------------------------------------------------------------------------
>
> Key: SLING-9212
> URL: https://issues.apache.org/jira/browse/SLING-9212
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
> Reporter: Mohit Arora
> Priority: Major
> Fix For: Content Distribution Core 0.4.4
>
>
> When a resource is distributed from one endpoint to other with RequestType set to DELETE, the execute method of SimpleDistributionAgent [checks the permissions for the passed resolver on given path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175]. In case of DELETE request, apart from the [configured permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85], it also checks for {{jcr:removeNode}} permissions for the user on the path. This check happens on the exporter side but AFAIU, the actual deletion happens on the importer endpoint. The content does not get deleted on exporter side. In that case, this permission check should happen on importer side.
> cc - [~marett], [~ashishc]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)