You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2009/12/02 12:43:43 UTC
svn commit: r886120 - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/
test/java/org/apache/jackrabbit/core/security/authorization/acl/
Author: angela
Date: Wed Dec 2 11:43:37 2009
New Revision: 886120
URL: http://svn.apache.org/viewvc?rev=886120&view=rev
Log:
JCR-2418 : Read permission on parent node required to access an item's definition
Added:
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java (with props)
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java?rev=886120&r1=886119&r2=886120&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java Wed Dec 2 11:43:37 2009
@@ -181,8 +181,11 @@
}
NodeState parentState = null;
try {
- NodeImpl parent = (NodeImpl) getItem(parentId);
- parentState = parent.getNodeState();
+ // access the parent state circumventing permission check, since
+ // read permission on the parent isn't required in order to retrieve
+ // a node's definition. see also JCR-2418
+ ItemData parentData = getItemData(parentId, null, false);
+ parentState = (NodeState) parentData.getState();
if (state.getParentId() == null) {
// indicates state has been removed, must use
// overlayed state of parent, otherwise child node entry
@@ -237,7 +240,11 @@
PropertyDefinitionImpl getDefinition(PropertyState state)
throws RepositoryException {
try {
- NodeImpl parent = (NodeImpl) getItem(state.getParentId());
+ // retrieve parent in 2 steps in order to avoid the check for
+ // read permissions on the parent which isn't required in order
+ // to read the property's definition. see also JCR-2418.
+ ItemData parentData = getItemData(state.getParentId(), null, false);
+ NodeImpl parent = (NodeImpl) createItemInstance(parentData);
return parent.getApplicablePropertyDefinition(
state.getName(), state.getType(), state.isMultiValued(), true);
} catch (ItemNotFoundException e) {
Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java?rev=886120&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java Wed Dec 2 11:43:37 2009
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization.acl;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest;
+import org.apache.jackrabbit.test.NotExecutableException;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * <code>ReadTest</code>...
+ */
+public class ReadTest extends AbstractEvaluationTest {
+
+ protected String path;
+ protected String childNPath;
+
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ // create some nodes below the test root in order to apply ac-stuff
+ Node node = testRootNode.addNode(nodeName1, testNodeType);
+ Node cn1 = node.addNode(nodeName2, testNodeType);
+ superuser.save();
+
+ path = node.getPath();
+ childNPath = cn1.getPath();
+ }
+
+ protected boolean isExecutable() {
+ return EvaluationUtil.isExecutable(acMgr);
+ }
+
+ protected JackrabbitAccessControlList getPolicy(AccessControlManager acM, String path, Principal principal) throws RepositoryException, AccessDeniedException, NotExecutableException {
+ return EvaluationUtil.getPolicy(acM, path, principal);
+ }
+
+ protected Map<String, Value> getRestrictions(Session s, String path) {
+ return Collections.emptyMap();
+ }
+
+ public void testReadDenied() throws Exception {
+ Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
+
+ /* deny READ privilege for testUser at 'path' */
+ withdrawPrivileges(path, privileges, getRestrictions(superuser, path));
+ /*
+ allow READ privilege for testUser at 'childNPath'
+ */
+ givePrivileges(childNPath, privileges, getRestrictions(superuser, childNPath));
+
+
+ Session testSession = getTestSession();
+
+ assertFalse(testSession.nodeExists(path));
+ assertTrue(testSession.nodeExists(childNPath));
+ Node n = testSession.getNode(childNPath);
+ n.getDefinition();
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev URL
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java?rev=886120&r1=886119&r2=886120&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java Wed Dec 2 11:43:37 2009
@@ -40,6 +40,7 @@
suite.addTestSuite(ACLTemplateTest.class);
suite.addTestSuite(EntryTest.class);
+ suite.addTestSuite(ReadTest.class);
suite.addTestSuite(WriteTest.class);
suite.addTestSuite(LockTest.class);
suite.addTestSuite(VersionTest.class);
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=886120&r1=886119&r2=886120&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Wed Dec 2 11:43:37 2009
@@ -338,4 +338,27 @@
group2.remove();
}
}
+
+ public void testWriteIfReadingParentIsDenied() throws Exception {
+ Privilege[] privileges = privilegesFromNames(new String[] {Privilege.JCR_READ, Privilege.JCR_WRITE});
+
+ /* deny READ/WRITE privilege for testUser at 'path' */
+ withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path));
+ /*
+ allow READ/WRITE privilege for testUser at 'childNPath'
+ */
+ givePrivileges(childNPath, testUser.getPrincipal(), privileges, getRestrictions(superuser, childNPath));
+
+
+ Session testSession = getTestSession();
+
+ assertFalse(testSession.nodeExists(path));
+
+ // reading the node and it's definition must succeed.
+ assertTrue(testSession.nodeExists(childNPath));
+ Node n = testSession.getNode(childNPath);
+
+ n.addNode("someChild");
+ n.save();
+ }
}
\ No newline at end of file