stefan-egli commented on code in PR #1011:
URL: https://github.com/apache/jackrabbit-oak/pull/1011#discussion_r1275933780
##########
oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/NodeImpl.java:
##########
@@ -1015,6 +1015,9 @@ public void checkPreconditions() throws
RepositoryException {
throw new VersionException(format(
"Cannot add mixin type. Node [%s] is checked in.",
getNodePath()));
}
+ // OAK-10334: adding mixin requires permission to read
existing mixin types
+ PropertyState prop =
PropertyStates.createProperty(JCR_MIXINTYPES, singleton(oakTypeName), NAMES);
+
sessionContext.getAccessManager().checkPermissions(dlg.getTree(), prop,
Permissions.READ_PROPERTY);
Review Comment:
@anchela,
> i wonder if it wouldn't be better to also adopt a similar approach as we
use in {{NodeImpl.getPrimaryType}} and {{getMixinTypeNames}}.... i.e. making
sure we don't overwrite the type in the tree-util by potentially reading the
value from the read-only tree
Are you referring to OAK-2441, so basically bypassing the read restriction
by force-reading through a `getReadOnlyTree`?
> also: if we want to keep the permission check here, we should also adjust
Node.canAddMixin
+1 - except I guess if we went the `getReadOnlyTree` way, then this wouldn't
be needed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
