You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2020/10/16 12:43:12 UTC
svn commit: r1882583 - in /jackrabbit/oak/trunk:
oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
Author: angela
Date: Fri Oct 16 12:43:12 2020
New Revision: 1882583
URL: http://svn.apache.org/viewvc?rev=1882583&view=rev
Log:
OAK-9183 : verify 'Mapping API Calls to Privileges' wrt to move operations
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md?rev=1882583&r1=1882582&r2=1882583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md Fri Oct 16 12:43:12 2020
@@ -107,7 +107,7 @@ of the special index definition.
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
-| `Session.move` | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
+| `Session.move` | same privileges as if the node to move would be removed and created using regular API calls (items in the subtree are not checked) |
| `Session.importXml` | same privileges as if items would be created using regular API calls |
##### Access Control Management
@@ -182,7 +182,7 @@ of the special index definition.
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
-| `Workspace.move` | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
+| `Workspace.move` | same privileges as if the node to move would be removed and created using regular API calls (items in the subtree are not checked) |
| `Workspace.copy` | same privileges as if items would be created using regular API calls |
| `Workspace.importXml` | same privileges as if items would be created using regular API calls |
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java?rev=1882583&r1=1882582&r2=1882583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java Fri Oct 16 12:43:12 2020
@@ -138,6 +138,31 @@ public abstract class AbstractMoveTest e
}
@Test
+ public void testMoveMissingNtManagement() throws Exception {
+ // not granting jcr:nodeTypeManagement
+ allow(path, privilegesFromNames(new String[] {
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_REMOVE_NODE}));
+ try {
+ move(childNPath, destPath);
+ fail("Move requires jcr:nodeTypeManagement privilege at destination.");
+ } catch (AccessDeniedException e) {
+ // success.
+ }
+ }
+
+ @Test
+ public void testMoveMissingPrivilegesInSubtree() throws Exception {
+ // grant privileges required to move 'childNPath' to 'destPath'
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ // revoke privileges such that only 'childNPath' can be removed and added
+ deny(childNPath, modifyChildCollection);
+ deny(nodePath3, privilegesFromNames(new String[] {Privilege.JCR_REMOVE_NODE}));
+ move(childNPath, destPath);
+ }
+
+ @Test
public void testMissingJcrAddChildNodesAtDestParent() throws Exception {
allow(path, privilegesFromNames(new String[] {
Privilege.JCR_ADD_CHILD_NODES,