[
https://issues.apache.org/jira/browse/JCR-3858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358437#comment-14358437
]
Cédric Damioli commented on JCR-3858:
-------------------------------------
Patch looks good (gather both old and new behaviour), but do we want to ensure
backward compatibility even in case of a possible security problem ?
If so, that's ok.
> NodeIterator.getSize(): compatibility with Jackrabbit 2.5
> ---------------------------------------------------------
>
> Key: JCR-3858
> URL: https://issues.apache.org/jira/browse/JCR-3858
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Affects Versions: 2.6.2, 2.7
> Reporter: Thomas Mueller
> Assignee: Thomas Mueller
>
> In Jackrabbit 2.5 and older, the query result set (NodeIterator.getSize())
> was an estimation that sometimes included nodes that are not visible for the
> current user.
> This is a possible security problem. The behavior was changed (and the
> security problem fixed) in JCR-3402. However, this is an incompatibility with
> Jackrabbit 2.5.
> I suggest to make this configurable in workspace.xml / repository.xml (or a
> system property, if that turns out to be too complicated). The default is the
> current (secure) behavior, with the option to use the old variant.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
