You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2009/12/04 15:46:20 UTC

[jira] Commented: (JCR-2425) Session.save() and Session.refresh(boolean) rely on accessibility of the root node

    [ https://issues.apache.org/jira/browse/JCR-2425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785949#action_12785949 ] 

angela commented on JCR-2425:
-----------------------------

the following test should demonstrate the problem. It's an adapted copy of 
org.apache.jackrabbit.core.security.authorization.acl.WriteTest#testWriteIfReadingParentIsDenied


public void testWriteWithoutRootAccess() throws Exception {
        Privilege[] privileges = privilegesFromNames(new String[] {Privilege.JCR_READ, Privilege.JCR_WRITE});

        /* deny READ/WRITE privilege for testUser at '/' */
        withdrawPrivileges("/", testUser.getPrincipal(), privileges, getRestrictions(superuser, "/"));
        /*
        allow READ/WRITE privilege for testUser at 'path'
        */
        givePrivileges(childNPath, testUser.getPrincipal(), privileges, getRestrictions(superuser, childNPath));


        Session testSession = getTestSession();

        // reading the node and it's definition must succeed.
        assertTrue(testSession.nodeExists(childNPath));
        Node n = testSession.getNode(childNPath);

        n.addNode("someChild");
        testSession.save();  // or testSession.refresh(false)

        // TODO: proper cleanup of modified permissions outside of the testroot-scope that is cleanup in tear-down.
    }

> Session.save() and Session.refresh(boolean) rely on accessibility of the root node
> ----------------------------------------------------------------------------------
>
>                 Key: JCR-2425
>                 URL: https://issues.apache.org/jira/browse/JCR-2425
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core
>            Reporter: angela
>
> follow-up issue to JCR-2418:
> an editing session that is only allowed to write in a subtree but isn't allowed to access the root node will not be
> able to save or revert changes made in the transient space within that subtree.
> the reason for this is, that both SessionImpl.save() and SessionImpl.refresh(boolean) access the root node
> in order to execute the call. since it's the regular call READ permissions are checked, although the user
> made no attempt to *look* at the root.
> A workaround would be to call Item.save() on the modified tree itself that obviously was visible for the 
> user... unfortunately that method is deprecated as of JCR 2.0. Therefore, I have the impression that we
> should fix the methods mentioned above.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.