You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by th...@apache.org on 2016/12/21 10:01:00 UTC

svn commit: r1775381 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ChildOrderPropertyTest.java

Author: thomasm
Date: Wed Dec 21 10:01:00 2016
New Revision: 1775381

URL: http://svn.apache.org/viewvc?rev=1775381&view=rev
Log:
OAK-5354 Security: the order of child should be correct if the child nodes are readable

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ChildOrderPropertyTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java?rev=1775381&r1=1775380&r2=1775381&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java Wed Dec 21 10:01:00 2016
@@ -44,6 +44,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
 import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
 
 class SecureNodeBuilder implements NodeBuilder {
 
@@ -372,7 +373,10 @@ class SecureNodeBuilder implements NodeB
         @Override
         public boolean apply(@Nullable PropertyState property) {
             if (property != null) {
-                return getTreePermission().canRead(property) || isNew(property.getName());
+                String propertyName = property.getName();
+                return NodeStateUtils.isHidden(propertyName) ||
+                        getTreePermission().canRead(property) ||
+                        isNew(propertyName);
             } else {
                 return false;
             }

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ChildOrderPropertyTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ChildOrderPropertyTest.java?rev=1775381&r1=1775380&r2=1775381&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ChildOrderPropertyTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ChildOrderPropertyTest.java Wed Dec 21 10:01:00 2016
@@ -21,13 +21,21 @@ import static org.junit.Assert.assertFal
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
+import java.util.List;
 import java.util.Set;
 
+import javax.annotation.Nullable;
+
+import com.google.common.base.Function;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Iterables;
 import com.google.common.collect.Sets;
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.plugins.tree.impl.TreeConstants;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -81,4 +89,25 @@ public class ChildOrderPropertyTest exte
         assertNull(a.getPropertyStatus(TreeConstants.OAK_CHILD_ORDER));
     }
 
+    @Test
+    public void testChildOrderWithoutPropertyReadAccess() throws Exception {
+        root.getTree("/a/bb").orderBefore("b");
+        root.commit();
+        setupPermission("/", testPrincipal, true, PrivilegeConstants.REP_READ_NODES);
+
+        Root testRoot = getTestRoot();
+        Tree aTree = testRoot.getTree("/a");
+        // verify that properties cannot be read:
+        assertFalse(aTree.hasProperty(JcrConstants.JCR_PRIMARYTYPE));
+
+        List<String> expected = ImmutableList.of("/a/bb", "/a/b");
+        Iterable<String> childPaths = Iterables.transform(aTree.getChildren(), new Function<Tree, String>() {
+            @Nullable
+            @Override
+            public String apply(Tree input) {
+                return input.getPath();
+            }
+        });
+        assertTrue(childPaths.toString(), Iterables.elementsEqual(expected, childPaths));
+    }
 }
\ No newline at end of file