[
https://issues.apache.org/jira/browse/JS2-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ate Douma reassigned JS2-900:
-----------------------------
Assignee: Vivek Kumar
> SiteView should throw SecurityException when a Node is not accessible instead
> of NodeNotFoundException
> ------------------------------------------------------------------------------------------------------
>
> Key: JS2-900
> URL: https://issues.apache.org/jira/browse/JS2-900
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Profiling/Portal Navigation
> Affects Versions: 2.1.3
> Reporter: Ate Douma
> Assignee: Vivek Kumar
> Priority: Critical
> Fix For: 2.2
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> SiteView.getNodeProxy uses currentFolder.getAll() to lookup a target path
> (element).
> FolderImpl.getAll() (both PSML and DB versions) will filter out any Node for
> which the current user doesn't have access.
> But this means there is no distinction possible between a not-existing page
> access and not-allowed page access (e.g. 404 or 403).
> The ProfilerValveImpl (invoking these) already can handle a thrown
> SecurityException and send a SC_FORBIDDEN error (if configured to do so).
> So, the intended behavior already is to support this.
> We just need to fix SiteView.getNodeProxy a little like calling
> currentFolder.getAllNodes() and perform a security check itself *if* the path
> was resolved.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
