Bogdan Stefanescu wrote: > > Last night I reviewed and updated security checks done in public API. > I sent to some of us the list of checks that are performed for validation. > This should be a regression because I put a security check in the > method getACP() > that checks if user has ReadSecurity permission > > As ReadSecurity is not in Read group a user having only Read > permission will not be able to get the ACP of the document. > May be the ACP is fetched through getACP() method when entering the > domain and so security exception is thrown. > I see 2 possible fixes: > 1. don't check ReadSecurity when calling getACP() > 2. put ReadSecurity in Read group
Right. Thierry did choose 2.
J.
--
Julien Anguenot | Nuxeo R&D (Paris, France)
Open Source ECM - http://www.nuxeo.com
Nuxeo 5 : http://www.nuxeo.org
Mobile: +33 (0) 6 72 57 57 66
signature.asc
Description: OpenPGP digital signature
_______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm
