[
https://issues.apache.org/jira/browse/JCR-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917501#action_12917501
]
angela commented on JCR-2754:
-----------------------------
i think the description of the privilege is not accurate for the following
reason. initially the access control mechanism to control the creation,
modification and removal of properties was jcr:modifyProperties ("the privilege
to create, modify and remove the properties of a node"). This equally affected
protected and non-protected properties. In a later stage of jsr-283 this
approach has been questioned [1] and the EG decided to define specific
privileges for those protected properties set (not only changed) by JCR API
methods. in other words jcr:nodeTypeManagement is a replacement for
jcr:modifyProperty for the protected properties jcr:mixinTypes and
jcr:primaryType. If in case of the jcr:primaryType it's functionality was
limited to Node.setPrimaryType the API consumer could just work around the
missing privilege by always using Node.addNode(String, String) or by using
export-import functionality to change the
primary type later on. from my point of view we should resolve this issue
wontfix and fix the specification.
[1] https://jsr-283.dev.java.net/issues/show_bug.cgi?id=486
> jcr:nodeTypeManagement necessary for addNode("name", "type")?
> -------------------------------------------------------------
>
> Key: JCR-2754
> URL: https://issues.apache.org/jira/browse/JCR-2754
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Affects Versions: 2.0.0, 2.1.0, 2.1.1
> Reporter: Jukka Zitting
> Assignee: angela
> Priority: Minor
>
> Our current implementation of addNode("name", "type") requires the
> jcr:nodeTypeManagement permission, that's defined by JSR 283 as the
> "privilege to add and remove mixin node types and change the primary node
> type of a node".
> In a private discussion this implementation was questioned, based on the
> argument that the spec seems to only refer to "changing" the primary type,
> not specifying it during creation.
> Personally I don't care too much either way, and since the only harm done by
> the current implementation seems to be some confusion, I'd rather not change
> the implementation to prevent backwards compatibility issues.
> Anyway, I'm filing this issue to solicit feedback from the community. If the
> consensus is that addNode("name", "type") shouldn't need the
> jcr:nodeTypeManagement permission, then we should clarify the spec in JSR 333
> and make this change in Jackrabbit 3.0. Otherwise we'll just resolve this
> issue as Won't Fix.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
