You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Julian Reschke (Jira)" <ji...@apache.org> on 2019/12/18 12:40:00 UTC
[jira] [Closed] (JCR-3858) NodeIterator.getSize(): compatibility
with Jackrabbit 2.5
[ https://issues.apache.org/jira/browse/JCR-3858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julian Reschke closed JCR-3858.
-------------------------------
> NodeIterator.getSize(): compatibility with Jackrabbit 2.5
> ---------------------------------------------------------
>
> Key: JCR-3858
> URL: https://issues.apache.org/jira/browse/JCR-3858
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Affects Versions: 2.6.2, 2.7
> Reporter: Thomas Mueller
> Assignee: Thomas Mueller
> Priority: Major
>
> In Jackrabbit 2.5 and older, the query result set (NodeIterator.getSize()) was an estimation that sometimes included nodes that are not visible for the current user.
> This is a possible security problem. The behavior was changed (and the security problem fixed) in JCR-3402. However, this is an incompatibility with Jackrabbit 2.5.
> I suggest to make this configurable in workspace.xml / repository.xml (or a system property, if that turns out to be too complicated). The default is the current (secure) behavior, with the option to use the old variant.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)