[ http://issues.apache.org/jira/browse/MUSE-73?page=comments#action_12430126 ] Dan Jemiolo commented on MUSE-73: ---------------------------------
The check is only meant to protect against *server-side* code that is trying to insert/delete/etc. If you look at canInsert() and canUpdate(), they also ignore the modifiability attribute. The WSRP implementation, when validating a request against the metadata, relies on both these methods *and* the isReadOnlyExternal() method to figure out if a) any modifications are allowed by server-side code, and b) if the request is server-side. This protects against remote clients trying to delete unmodifiable properties but allows server-side code to delete properties that are mutable but cannot be modified by remote clients. The reason the two attributes exist is to allow for this use case. Please update if you have a case where a remote client can delete/modify a property is has modifiability="read-only". > The Metadata implementation allows read-only properties to be deleted > --------------------------------------------------------------------- > > Key: MUSE-73 > URL: http://issues.apache.org/jira/browse/MUSE-73 > Project: Muse > Issue Type: Bug > Components: WSRF WSRMD ResourceMetadataCapability and > MetadataResource > Affects Versions: 2.0.0 M2 > Environment: any > Reporter: Mohammad Fakhar > Assigned To: Dan Jemiolo > Priority: Minor > Attachments: rmdpatch > > > The SimpleMetadataDescriptor implementation returns true for canDelete even > if a property's modifiability has been > set to read-only. > public boolean canDelete(QName propertyQName) > { > // > // deletion requires mutability (AND isReadOnlyExternal() == false) > // > PropertyMetadata property = getProperty(propertyQName); > > return property.getMutability() == PropertyMetadata.MUTABLE; > } > As show above, only mutability is being checked for, not modifiability, as a > result deletion > of read-only properties is allowed. > Attached is a patch that fixes this by also checking for modifiability. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
