You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2009/12/04 15:46:20 UTC
[jira] Commented: (JCR-2425) Session.save() and
Session.refresh(boolean) rely on accessibility of the root node
[ https://issues.apache.org/jira/browse/JCR-2425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785949#action_12785949 ]
angela commented on JCR-2425:
-----------------------------
the following test should demonstrate the problem. It's an adapted copy of
org.apache.jackrabbit.core.security.authorization.acl.WriteTest#testWriteIfReadingParentIsDenied
public void testWriteWithoutRootAccess() throws Exception {
Privilege[] privileges = privilegesFromNames(new String[] {Privilege.JCR_READ, Privilege.JCR_WRITE});
/* deny READ/WRITE privilege for testUser at '/' */
withdrawPrivileges("/", testUser.getPrincipal(), privileges, getRestrictions(superuser, "/"));
/*
allow READ/WRITE privilege for testUser at 'path'
*/
givePrivileges(childNPath, testUser.getPrincipal(), privileges, getRestrictions(superuser, childNPath));
Session testSession = getTestSession();
// reading the node and it's definition must succeed.
assertTrue(testSession.nodeExists(childNPath));
Node n = testSession.getNode(childNPath);
n.addNode("someChild");
testSession.save(); // or testSession.refresh(false)
// TODO: proper cleanup of modified permissions outside of the testroot-scope that is cleanup in tear-down.
}
> Session.save() and Session.refresh(boolean) rely on accessibility of the root node
> ----------------------------------------------------------------------------------
>
> Key: JCR-2425
> URL: https://issues.apache.org/jira/browse/JCR-2425
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Reporter: angela
>
> follow-up issue to JCR-2418:
> an editing session that is only allowed to write in a subtree but isn't allowed to access the root node will not be
> able to save or revert changes made in the transient space within that subtree.
> the reason for this is, that both SessionImpl.save() and SessionImpl.refresh(boolean) access the root node
> in order to execute the call. since it's the regular call READ permissions are checked, although the user
> made no attempt to *look* at the root.
> A workaround would be to call Item.save() on the modified tree itself that obviously was visible for the
> user... unfortunately that method is deprecated as of JCR 2.0. Therefore, I have the impression that we
> should fix the methods mentioned above.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.