[jira] [Commented] (JCR-3492) versionHistory.addVersionLabel() fails with AccessDeniedException even when user has proper permission

[Tobias Bocanegra (JIRA)]

    [ 
https://issues.apache.org/jira/browse/JCR-3492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13556614#comment-13556614
 ] 

Tobias Bocanegra commented on JCR-3492:
---------------------------------------

checkin/checkout also modify the node that is checked in/out. so the user needs 
at least write permission on that node.
version history modification (e.g. setting the labels) does not modify the 
versionable nodes, so no special requirement needed.

the main problem is that we cannot tie the ACL solely on the node that was 
versioned, because a) it might not exist anymore and b) users might have 
different ACLs on other workspaces.

IMO, the user needs: 
* both write access on the version history and write access on the node for 
checkin/checkout etc.
* write access to the version history for label modifications (and delete 
version etc).

                
> versionHistory.addVersionLabel() fails with AccessDeniedException even when 
> user has proper permission
> ------------------------------------------------------------------------------------------------------
>
>                 Key: JCR-3492
>                 URL: https://issues.apache.org/jira/browse/JCR-3492
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core, security, versioning
>    Affects Versions: 2.5.2
>            Reporter: Amit Gupta
>            Priority: Critical
>
> If a user does not have access to version store node and following operation 
> fails with access denied
> versionHistory.addVersionLabel(version.getName(), label, true);
> 16.01.2013 12:23:44.740 WARN [0:0:0:0:0:0:0:1 [1358319224592] GET 
> /libs/dam/gui/content/assets/versioning/createversion.html HTTP/1.1] 
> com.adobe.granite.asset.core.impl.AssetVersionManagerImpl Failed to add 
> version label javax.jcr.AccessDeniedException: Access denied.
> at 
> org.apache.jackrabbit.core.security.DefaultAccessManager.checkPermission(DefaultAccessManager.java:193)
> at 
> org.apache.jackrabbit.core.version.VersionHistoryImpl.checkVersionManagementPermission(VersionHistoryImpl.java:311)
> at 
> org.apache.jackrabbit.core.version.VersionHistoryImpl.addVersionLabel(VersionHistoryImpl.java:172)
> whereas the user have proper acl on the node that is being versioned. checkin 
> and checkout operations are successful, it is just the addVersionlabel that 
> fails.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira