You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Mohit Arora (Jira)" <ji...@apache.org> on 2020/03/17 18:15:00 UTC

[jira] [Created] (SLING-9212) Distribution.core checks for jcr:removeNode permissions on importer side for DELETE request

Mohit Arora created SLING-9212:
----------------------------------

             Summary: Distribution.core checks for jcr:removeNode permissions on importer side for DELETE request
                 Key: SLING-9212
                 URL: https://issues.apache.org/jira/browse/SLING-9212
             Project: Sling
          Issue Type: Bug
          Components: Content Distribution
            Reporter: Mohit Arora


When a resource is distributed from one endpoint to other with RequestType set to DELETE, the execute method of SimpleDistributionAgent [checks the permissions for the passed resolver on given path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175]. In case of DELETE request, apart from the [configured permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85], it also checks for {{jcr:removeNode}} permissions for the user on the path. This check happens on the exporter side but AFAIU, the actual deletion happens on the importer endpoint. The content does not get deleted on exporter side. In that case, this permission check should happen on importer side.

cc - [~marett], [~ashishc]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)