[
https://issues.apache.org/jira/browse/JCR-1613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649689#action_12649689
]
angela commented on JCR-1613:
-----------------------------
When moving a node using Session.move() the moved node doesn't get marked as
removed (as it would be upon Node.remove). Since the permissions are checked
based on the state modifications upon save() only, the check for REMOVE
permission is omitted.
However: The same test being execute with a Workspace.move(String, String)
would fail, as the BatchedItemOperations explicitely check for both: REMOVE
permission on the target node and ADD_NODE permission on the destination parent.
For consistency between Session.move() and Workspace.move() i would opt for
adding the corresponding permission check to Session.move().
> REMOVE access is not checked when moving a node
> -----------------------------------------------
>
> Key: JCR-1613
> URL: https://issues.apache.org/jira/browse/JCR-1613
> Project: Jackrabbit
> Issue Type: Bug
> Components: jackrabbit-core
> Affects Versions: core 1.4.4
> Reporter: Roman Puchkovskiy
> Attachments: test-remove-access.zip
>
>
> When a node cannot be removed because AccessManager does not allow this, it
> still can be moved (using Session.move()).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
