[ https://issues.apache.org/jira/browse/SLING-897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12901182#action_12901182 ]
Eric Norman commented on SLING-897: ----------------------------------- These steps can be used to verify the privileges needed to modify a property: 1. Create user as admin (OK) curl -F:name=myuser -Fpwd=password -FpwdConfirm=password http://admin:ad...@localhost:8080/system/userManager/user.create.html 2. Create node as admin (OK) curl -F:name=node -FpropOne=propOneValue1 -FpropOne=propOneValue2 http://admin:ad...@localhost:8080/test/ 3. Attempt to update property of node as myuser (500: javax.jcr.AccessDeniedException: /test/node/propOne: not allowed to add or modify item) curl -FpropOne=propOneValueChanged http://myuser:passw...@localhost:8080/test/node 4. Grant jcr:modifyProperties rights to myuser as admin (OK) curl -FprincipalId=myuser -fprivil...@jcr:modifyProperties=granted http://admin:ad...@localhost:8080/test/node.modifyAce.html 5. Attempt to update properties of node (OK) curl -FpropOne=propOneValueChanged http://myuser:passw...@localhost:8080/test/node > Updating a property fires the wrong JCR events > ---------------------------------------------- > > Key: SLING-897 > URL: https://issues.apache.org/jira/browse/SLING-897 > Project: Sling > Issue Type: Bug > Components: Servlets > Affects Versions: Servlets Post 2.0.2 > Reporter: christian > Assignee: Eric Norman > Priority: Minor > > If you set a single value Proeprty with a Post handled by the PostServlet, > the related property is removed first and than the value is set. > While the effect is the desired change of the Property's value, it has > side-effects. > Et least the connected session has to have remove-privilege to set the > property. > Eventing may be unexpected, and other may result. > Example: > String path = "/content/node1"; > String pName = "property1"; > Node node = (Node) session.getRootNode().getIem(path); > try { > session.checkPermission(path+"/"+pName, "set_property") > //==allowed > } catch (AccessControlException) { > } > But > POST "/content/node1" > property1=test > => AccessDenied -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.