You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Julian Reschke (Jira)" <ji...@apache.org> on 2019/12/18 12:40:00 UTC

[jira] [Closed] (JCR-3858) NodeIterator.getSize(): compatibility with Jackrabbit 2.5

     [ https://issues.apache.org/jira/browse/JCR-3858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julian Reschke closed JCR-3858.
-------------------------------

> NodeIterator.getSize(): compatibility with Jackrabbit 2.5
> ---------------------------------------------------------
>
>                 Key: JCR-3858
>                 URL: https://issues.apache.org/jira/browse/JCR-3858
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>    Affects Versions: 2.6.2, 2.7
>            Reporter: Thomas Mueller
>            Assignee: Thomas Mueller
>            Priority: Major
>
> In Jackrabbit 2.5 and older, the query result set (NodeIterator.getSize()) was an estimation that sometimes included nodes that are not visible for the current user.
> This is a possible security problem. The behavior was changed (and the security problem fixed) in JCR-3402. However, this is an incompatibility with Jackrabbit 2.5.
> I suggest to make this configurable in workspace.xml / repository.xml (or a system property, if that turns out to be too complicated). The default is the current (secure) behavior, with the option to use the old variant.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)