You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2015/10/01 14:48:26 UTC

[jira] [Updated] (JCRVLT-99) Creating a package using package manager API requires read access to root node

     [ https://issues.apache.org/jira/browse/JCRVLT-99?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela updated JCRVLT-99:
-------------------------
    Attachment: filevault_root_access.txt

[~tripod], in the attached {{filevault_root_access.txt}} you can find the complete result for searching the jcrvlt code base for {{getRootNode}}. some seemed to be valid shortcuts (marked with _(excluded)_) but i suspect that others might require some attention.

if using the functionality provided with a non-admin session, access to the root node is likely to not be granted thus rendering the filevault unusable (or risking privilege escalations by being forced to grant a non-privileged session full access up to the root node).

> Creating a package using package manager API requires read access to root node
> ------------------------------------------------------------------------------
>
>                 Key: JCRVLT-99
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-99
>             Project: Jackrabbit FileVault
>          Issue Type: Bug
>          Components: Packaging
>            Reporter: Marc Pfaff
>         Attachments: filevault_root_access.txt
>
>
> When creating a package using PackageManagerImpl.assemble() the package manager session used always requires read access to the root node, due to the call to Session.getRootNode(). 
> {code}
> Caused by: javax.jcr.AccessDeniedException: Root node is not accessible.
> 	at org.apache.jackrabbit.oak.jcr.session.SessionImpl$4.perform(SessionImpl.java:304)
> 	at org.apache.jackrabbit.oak.jcr.session.SessionImpl$4.perform(SessionImpl.java:298)
> 	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:209)
> 	at org.apache.jackrabbit.oak.jcr.session.SessionImpl.getRootNode(SessionImpl.java:298)
> 	at org.apache.jackrabbit.vault.packaging.impl.JcrPackageManagerImpl.getPackageRoot(JcrPackageManagerImpl.java:637)
> 	at org.apache.jackrabbit.vault.packaging.impl.JcrPackageManagerImpl.listPackages(JcrPackageManagerImpl.java:683)
> 	at org.apache.jackrabbit.vault.packaging.impl.JcrPackageManagerImpl.validateSubPackages(JcrPackageManagerImpl.java:490)
> 	at org.apache.jackrabbit.vault.packaging.impl.JcrPackageManagerImpl.assemble(JcrPackageManagerImpl.java:458)
> 	at org.apache.jackrabbit.vault.packaging.impl.JcrPackageManagerImpl.assemble(JcrPackageManagerImpl.java:447)
> {code}
> I'm using version 3.1.20 (as reported by felix console), but somehow this version is not available in the Jira "Affects Version/s" field. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)