Mohit Arora created SLING-9212:
----------------------------------
Summary: Distribution.core checks for jcr:removeNode permissions
on importer side for DELETE request
Key: SLING-9212
URL: https://issues.apache.org/jira/browse/SLING-9212
Project: Sling
Issue Type: Bug
Components: Content Distribution
Reporter: Mohit Arora
When a resource is distributed from one endpoint to other with RequestType set
to DELETE, the execute method of SimpleDistributionAgent [checks the
permissions for the passed resolver on given
path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175].
In case of DELETE request, apart from the [configured
permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85],
it also checks for {{jcr:removeNode}} permissions for the user on the path.
This check happens on the exporter side but AFAIU, the actual deletion happens
on the importer endpoint. The content does not get deleted on exporter side. In
that case, this permission check should happen on importer side.
cc - [~marett], [~ashishc]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
