You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2020/02/03 10:29:00 UTC
[jira] [Comment Edited] (OAK-8855) Permission evaluation of nodes
broken after :nestedCug removed from parent node
[ https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028797#comment-17028797 ]
Angela Schreiber edited comment on OAK-8855 at 2/3/20 10:28 AM:
----------------------------------------------------------------
[~kunal3112], i committed your patch with minimal modifications (protected constants can be package private): r1873524. thanks for improving the tests!
was (Author: anchela):
[~kunal3112], i committed your patch with minimal modifications (protected constants can be package private). thanks for improving the tests!
> Permission evaluation of nodes broken after :nestedCug removed from parent node
> -------------------------------------------------------------------------------
>
> Key: OAK-8855
> URL: https://issues.apache.org/jira/browse/OAK-8855
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: authorization-cug
> Affects Versions: 1.8.7
> Reporter: Kunal Shubham
> Assignee: Angela Schreiber
> Priority: Major
> Fix For: 1.26.0
>
> Attachments: OAK-8855.patch, OAK-8855_backport.patch
>
>
> Steps to Reproduce:
> # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and user2.
> # Apply CUG policy on /content/a.
> ** Authorize user1 and user2 to read /content/a.
> ** Authorize user1 to read /content/a/b1.
> ** Authorize user2 to read /content/a/b2.
> # Remove :nestedCugs property from /content/a/rep:cugPolicy.
> # Create a content session, login with user2. Try to read /content/a/b1.
> *Observed behavior* : user2 is able to read /content/a/b1.
> *Expected behavior* : user2 should not be able to read /content/a/b1 as it is unauthorized to do so.
> Please note that :nestedCugs is removed by a mechanism which completely overwrites content tree below "/content/a".
--
This message was sent by Atlassian Jira
(v8.3.4#803005)