You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2020/10/16 12:43:12 UTC
svn commit: r1882583 - in /jackrabbit/oak/trunk: oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java

Author: angela
Date: Fri Oct 16 12:43:12 2020
New Revision: 1882583

URL: http://svn.apache.org/viewvc?rev=1882583&view=rev
Log:
OAK-9183 : verify 'Mapping API Calls to Privileges' wrt to move operations

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md?rev=1882583&r1=1882582&r2=1882583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md Fri Oct 16 12:43:12 2020
@@ -107,7 +107,7 @@ of the special index definition.
 
 | API Call                                     | Privilege(s)                   |
 |----------------------------------------------|--------------------------------|
-| `Session.move`                               | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
+| `Session.move`                               | same privileges as if the node to move would be removed and created using regular API calls (items in the subtree are not checked) |
 | `Session.importXml`                          | same privileges as if items would be created using regular API calls |
 
 ##### Access Control Management
@@ -182,7 +182,7 @@ of the special index definition.
 
 | API Call                                     | Privilege(s)                   |
 |----------------------------------------------|--------------------------------|
-| `Workspace.move`                             | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
+| `Workspace.move`                             | same privileges as if the node to move would be removed and created using regular API calls (items in the subtree are not checked) |
 | `Workspace.copy`                             | same privileges as if items would be created using regular API calls |
 | `Workspace.importXml`                        | same privileges as if items would be created using regular API calls |
 

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java?rev=1882583&r1=1882582&r2=1882583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java Fri Oct 16 12:43:12 2020
@@ -138,6 +138,31 @@ public abstract class AbstractMoveTest e
     }
 
     @Test
+    public void testMoveMissingNtManagement() throws Exception {
+        // not granting jcr:nodeTypeManagement
+        allow(path, privilegesFromNames(new String[] {
+                Privilege.JCR_ADD_CHILD_NODES,
+                Privilege.JCR_REMOVE_CHILD_NODES,
+                Privilege.JCR_REMOVE_NODE}));
+        try {
+            move(childNPath, destPath);
+            fail("Move requires jcr:nodeTypeManagement privilege at destination.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+    }
+
+    @Test
+    public void testMoveMissingPrivilegesInSubtree() throws Exception {
+        // grant privileges required to move 'childNPath' to 'destPath'
+        allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+        // revoke privileges such that only 'childNPath' can be removed and added
+        deny(childNPath, modifyChildCollection);
+        deny(nodePath3, privilegesFromNames(new String[] {Privilege.JCR_REMOVE_NODE}));
+        move(childNPath, destPath);
+    }
+
+    @Test
     public void testMissingJcrAddChildNodesAtDestParent() throws Exception {
         allow(path, privilegesFromNames(new String[] {
                 Privilege.JCR_ADD_CHILD_NODES,