[
https://issues.apache.org/jira/browse/SLING-9212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothee Maret reassigned SLING-9212:
-------------------------------------
Assignee: Timothee Maret
> Distribution code checks for jcr:removeNode permissions on importer side for
> DELETE request
> -------------------------------------------------------------------------------------------
>
> Key: SLING-9212
> URL: https://issues.apache.org/jira/browse/SLING-9212
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
> Reporter: Mohit Arora
> Assignee: Timothee Maret
> Priority: Major
> Fix For: Content Distribution Core 0.4.4
>
>
> When a resource is distributed from one endpoint to other with RequestType
> set to DELETE, the execute method of SimpleDistributionAgent [checks the
> permissions for the passed resolver on given
> path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175].
> In case of DELETE request, apart from the [configured
> permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85],
> it also checks for {{jcr:removeNode}} permissions for the user on the path.
> This check happens on the exporter side but AFAIU, the actual deletion
> happens on the importer endpoint. The content does not get deleted on
> exporter side. In that case, this permission check should happen on importer
> side.
> cc - [~marett], [~ashishc]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
