anchela commented on code in PR #1011:
URL: https://github.com/apache/jackrabbit-oak/pull/1011#discussion_r1259542606
##########
oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/NodeImpl.java:
##########
@@ -1015,6 +1015,9 @@ public void checkPreconditions() throws
RepositoryException {
throw new VersionException(format(
"Cannot add mixin type. Node [%s] is checked in.",
getNodePath()));
}
+ // OAK-10334: adding mixin requires permission to read
existing mixin types
+ PropertyState prop =
PropertyStates.createProperty(JCR_MIXINTYPES, singleton(oakTypeName), NAMES);
+
sessionContext.getAccessManager().checkPermissions(dlg.getTree(), prop,
Permissions.READ_PROPERTY);
Review Comment:
hi @mreutegg , i wonder if it wouldn't be better to also adopt a similar
approach as we use in {{NodeImpl.getPrimaryType}} and {{getMixinTypeNames}}....
i.e. making sure we don't overwrite the type in the tree-util by potentially
reading the value from the read-only tree... in particular since
TreeUtil.addMixins is also called internally afaik in the oak code.... in other
words: this problem may still occur in case the mixin is added directly in the
oak api (and not through JCR api) as this happens in the implementation.
also: if we want to keep the permission check here, we should also adjust
Node.canAddMixin
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
