[jira] [Commented] (SLING-9212) Distribution code checks for jcr:removeNode permissions on importer side for DELETE request

Wed, 22 Apr 2020 04:03:26 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089558#comment-17089558
 ] 

Mohit Arora commented on SLING-9212:
------------------------------------

Raised a PR for the proposed approach - 
https://github.com/apache/sling-org-apache-sling-distribution-core/pull/40

Please note that before including the released version of distribution.core 
with these changes into the CQ/quickstart repo, the configurations for 
{{PrivilegeDistributionRequestAuthorizationStrategyFactory}} will have to be 
changed to include the mandatory {{jcrAddPrivileges}} and 
{{jcrDeleteprivileges}} properties.

> Distribution code checks for jcr:removeNode permissions on importer side for 
> DELETE request
> -------------------------------------------------------------------------------------------
>
>                 Key: SLING-9212
>                 URL: https://issues.apache.org/jira/browse/SLING-9212
>             Project: Sling
>          Issue Type: Bug
>          Components: Content Distribution
>            Reporter: Mohit Arora
>            Assignee: Timothee Maret
>            Priority: Major
>             Fix For: Content Distribution Core 0.4.4
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When a resource is distributed from one endpoint to other with RequestType 
> set to DELETE, the execute method of SimpleDistributionAgent [checks the 
> permissions for the passed resolver on given 
> path(s)|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgent.java#L175].
>  In case of DELETE request, apart from the [configured 
> permissions|https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/PrivilegeDistributionRequestAuthorizationStrategy.java#L85],
>  it also checks for {{jcr:removeNode}} permissions for the user on the path. 
> This check happens on the exporter side but AFAIU, the actual deletion 
> happens on the importer endpoint. The content does not get deleted on 
> exporter side. In that case, this permission check should happen on importer 
> side.
> cc - [~marett], [~ashishc]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to