[
https://issues.apache.org/jira/browse/JCR-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela updated JCR-2418:
------------------------
Attachment: JCR-2418.patch
patch modifying ItemManager#getDefinitiion(NodeState) and
#getDefinition(PropertyState) replacing getItem(NodeId parentId) by calls that
omit the permission check.
and 2 tests cases:
a) node and it's definition is accessible even if the parent cannot be read
b) child nodes can be added to node B even B's parent A cannot be read
> Read permission on parent node required to access an item's definition
> ----------------------------------------------------------------------
>
> Key: JCR-2418
> URL: https://issues.apache.org/jira/browse/JCR-2418
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Reporter: angela
> Attachments: JCR-2418.patch
>
>
> If a session is granted all permissions on a given item B but lacks
> permission to read it's parent node A an attempt to
> access the definition of B by means of Node.getDefinition or
> Property.getDefinition will fail with AccessDeniedException.
> Similarly, the same session will not be able to modify that item B - e.g. add
> a child node in case it was a node - since implementation e.g. checks of that
> item B isn't protected, which is determined by looking at the definition.
> My feeling is, that the item definition should be accessible even if the
> parent node cannot be read.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
