[
https://issues.apache.org/jira/browse/JCR-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jukka Zitting updated JCR-1743:
-------------------------------
Attachment: JCR-1743.patch
Proposed patch that creates a new PropertyId for the non-existing property and
uses that in the AccessManager.checkPermission call.
While I was at it, I also added safeguards against paths like
/path/to/property/property or
/path/to/new-property-that-has-the-same-name-as-an-existing-node.
The trouble with this patch is that it may break existing AccessManager
implementations that expect checkPermission calls for new properties to be
WRITE requests for the parent node. Perhaps we should add a marker interface or
something similar that an AccessManager that does need this functionality must
implement. This way we could keep full backwards compatibility at the expense
of some extra trouble.
Note that all this will only affect the 1.4 branch.
> Session.checkPermission: add_node and set_property evaluation are not handled
> differently
> -----------------------------------------------------------------------------------------
>
> Key: JCR-1743
> URL: https://issues.apache.org/jira/browse/JCR-1743
> Project: Jackrabbit
> Issue Type: Bug
> Affects Versions: core 1.4.5
> Reporter: Tobias Bocanegra
> Assignee: Jukka Zitting
> Fix For: core 1.4.6
>
> Attachments: JCR-1743.patch
>
>
> if the property does not exist yet, Session.checkPermission invokes an
> AccessManager.checkPermission(... WRITE) for both cases. i.e. the access
> manager has no means for handle a "add_node" differently from a
> "set_property"
> suggest to create a fake property id for the case where the property does not
> exist.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
