You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Mohit Arora (Jira)" <ji...@apache.org> on 2020/03/17 18:15:00 UTC
[jira] [Created] (SLING-9212) Distribution.core checks for
jcr:removeNode permissions on importer side for DELETE request
Mohit Arora created SLING-9212:
----------------------------------
Summary: Distribution.core checks for jcr:removeNode permissions on importer side for DELETE request
Key: SLING-9212
URL: https://issues.apache.org/jira/browse/SLING-9212
Project: Sling
Issue Type: Bug
Components: Content Distribution
Reporter: Mohit Arora
When a resource is distributed from one endpoint to other with RequestType set to DELETE, the execute method of SimpleDistributionAgent [checks the permissions for the passed resolver on given path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175]. In case of DELETE request, apart from the [configured permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85], it also checks for {{jcr:removeNode}} permissions for the user on the path. This check happens on the exporter side but AFAIU, the actual deletion happens on the importer endpoint. The content does not get deleted on exporter side. In that case, this permission check should happen on importer side.
cc - [~marett], [~ashishc]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)