[
https://issues.apache.org/jira/browse/JCR-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jukka Zitting updated JCR-1743:
-------------------------------
Fix Version/s: (was: core 1.4.6)
This is actually not just a Session.checkPermission issue, it also affects
ItemImpl.save where we also check the permissions. We should keep
checkPermission in line with the actual permission checks in save().
The ItemImpl.save method never checks permissions on new items, it just allows
the addition of a property of a node if it's OK to modify the parent.
If we modify this, should we also change the way child node additions are
handled?
I'm untagging this from 1.4.6 as it's not clear how this should be handled. We
can create a 1.4.7 release later once there's consensus on what to do.
> Session.checkPermission: add_node and set_property evaluation are not handled
> differently
> -----------------------------------------------------------------------------------------
>
> Key: JCR-1743
> URL: https://issues.apache.org/jira/browse/JCR-1743
> Project: Jackrabbit
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Affects Versions: core 1.4.5
> Reporter: Tobias Bocanegra
> Assignee: Jukka Zitting
> Attachments: JCR-1743-alternative.patch, JCR-1743.patch
>
>
> if the property does not exist yet, Session.checkPermission invokes an
> AccessManager.checkPermission(... WRITE) for both cases. i.e. the access
> manager has no means for handle a "add_node" differently from a
> "set_property"
> suggest to create a fake property id for the case where the property does not
> exist.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
