[
https://issues.apache.org/jira/browse/JCR-2774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved JCR-2774.
-------------------------
Resolution: Fixed
Fix Version/s: 2.3.1
done for the default, resource based access control implementation.
apart from the repository operations defined by jcr api the registration of new
privileges is controlled by the same mechanism replacing hardcoded check
for editing session being 'admin'
> Access control for repository level API operations
> --------------------------------------------------
>
> Key: JCR-2774
> URL: https://issues.apache.org/jira/browse/JCR-2774
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core, security
> Reporter: angela
> Assignee: angela
> Fix For: 2.3.1
>
>
> it is a open issue (i guess since jackrabbit 1.0) that the repository level
> write operations lack any kind of permission check.
> this issues has been raised during specification of jsr 283 [1] but didn't
> made it into the specification (left to implementation).
> in jackrabbit 2.0 this affects the following parts of the API
> - namespace registration
> - node type registration
> - workspace creation/removal
> based on a issue reported by david ("currently an anonymous user can write
> the namespace registry which is probably
> undesirable [...]"), we could at least add some minimal restrictions. In
> addition i would like to take up this discussion
> for jsr 333.
> [1] https://jsr-283.dev.java.net/issues/show_bug.cgi?id=486
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
