Author: jukka
Date: Fri Nov 22 20:57:13 2013
New Revision: 1544674
URL: http://svn.apache.org/r1544674
Log:
OAK-928: Read access is enforced on NEW items
Add NodeBuilder.isReplaced() and use it to detect cases where a read-protected
base state has been replaced with a fresh new one
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MemoryNodeBuilder.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MutableNodeState.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/NodeBuilder.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/ReadOnlyBuilder.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ShadowInvisibleContentTest.java
jackrabbit/oak/trunk/oak-jcr/pom.xml
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/SecureNodeBuilder.java
Fri Nov 22 20:57:13 2013
@@ -126,12 +126,14 @@ class SecureNodeBuilder implements NodeB
@Override
public boolean exists() {
- return getTreePermission().canRead() && builder.exists(); // TODO:
isNew()?
+ return builder.exists()
+ && (builder.isReplaced() || getTreePermission().canRead());
}
@Override
public boolean isNew() {
- return builder.isNew(); // TODO: might disclose hidden content
+ return builder.isNew()
+ || (builder.isReplaced() && !getTreePermission().canRead());
}
@Override
@@ -139,6 +141,11 @@ class SecureNodeBuilder implements NodeB
return builder.isModified();
}
+ @Override
+ public boolean isReplaced() {
+ return builder.isReplaced() && !isNew();
+ }
+
public void baseChanged() {
checkState(parent == null);
treePermission = null; // trigger re-evaluation of the context
@@ -165,7 +172,8 @@ class SecureNodeBuilder implements NodeB
@Override @CheckForNull
public PropertyState getProperty(String name) {
PropertyState property = builder.getProperty(name);
- if (property != null && getTreePermission().canRead(property)) {
+ if (property != null
+ && (getTreePermission().canRead(property) || isNew())) {
return property;
} else {
return null;
@@ -179,7 +187,7 @@ class SecureNodeBuilder implements NodeB
@Override
public synchronized long getPropertyCount() {
- if (getTreePermission().canReadProperties()) {
+ if (getTreePermission().canReadProperties() || isNew()) {
return builder.getPropertyCount();
} else {
return size(filter(
@@ -190,7 +198,7 @@ class SecureNodeBuilder implements NodeB
@Override @Nonnull
public Iterable<? extends PropertyState> getProperties() {
- if (getTreePermission().canReadProperties()) {
+ if (getTreePermission().canReadProperties() || isNew()) {
return builder.getProperties();
} else {
return filter(
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MemoryNodeBuilder.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MemoryNodeBuilder.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MemoryNodeBuilder.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MemoryNodeBuilder.java
Fri Nov 22 20:57:13 2013
@@ -269,6 +269,11 @@ public class MemoryNodeBuilder implement
}
@Override
+ public boolean isReplaced() {
+ return head().isReplaced();
+ }
+
+ @Override
public long getChildNodeCount(long max) {
return head().getCurrentNodeState().getChildNodeCount(max);
}
@@ -534,6 +539,15 @@ public class MemoryNodeBuilder implement
*/
public abstract boolean isModified();
+ /**
+ * Check whether the associated builder represents a node that
+ * used to exist but was replaced with other content.
+ *
+ * @return {@code true} for a replaced node
+ */
+ public abstract boolean isReplaced();
+
+
}
private class UnconnectedHead extends Head {
@@ -585,6 +599,11 @@ public class MemoryNodeBuilder implement
}
@Override
+ public boolean isReplaced() {
+ return false;
+ }
+
+ @Override
public String toString() {
return toStringHelper(this).add("path", getPath()).toString();
}
@@ -633,6 +652,11 @@ public class MemoryNodeBuilder implement
}
@Override
+ public boolean isReplaced() {
+ return state.isReplaced(base());
+ }
+
+ @Override
public String toString() {
return toStringHelper(this).add("path", getPath()).toString();
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MutableNodeState.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MutableNodeState.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MutableNodeState.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/memory/MutableNodeState.java
Fri Nov 22 20:57:13 2013
@@ -140,7 +140,10 @@ class MutableNodeState extends AbstractN
}
return false;
+ }
+ boolean isReplaced(NodeState before) {
+ return base != before;
}
/**
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/NodeBuilder.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/NodeBuilder.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/NodeBuilder.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/NodeBuilder.java
Fri Nov 22 20:57:13 2013
@@ -114,6 +114,15 @@ public interface NodeBuilder {
boolean isModified();
/**
+ * Check whether this builder represents a node that used to exist but
+ * was then replaced with other content, for example as a result of
+ * a {@link #setChildNode(String)} call.
+ *
+ * @return {@code true} for a replaced node
+ */
+ boolean isReplaced();
+
+ /**
* Returns the current number of child nodes.
* <p>
* If an implementation does know the exact value, it returns it (even if
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/ReadOnlyBuilder.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/ReadOnlyBuilder.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/ReadOnlyBuilder.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/state/ReadOnlyBuilder.java
Fri Nov 22 20:57:13 2013
@@ -60,6 +60,11 @@ public class ReadOnlyBuilder implements
return false;
}
+ @Override
+ public boolean isReplaced() {
+ return false;
+ }
+
@Override @Nonnull
public NodeState getNodeState() {
return state;
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ShadowInvisibleContentTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ShadowInvisibleContentTest.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ShadowInvisibleContentTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/evaluation/ShadowInvisibleContentTest.java
Fri Nov 22 20:57:13 2013
@@ -36,7 +36,6 @@ import static org.junit.Assert.fail;
public class ShadowInvisibleContentTest extends AbstractOakCoreTest {
@Test
- @Ignore // FIXME OAK-709 - see TODO in SecureNodeBuilder.exists()
public void testShadowInvisibleNode() throws Exception {
setupPermission("/a", testPrincipal, true, PrivilegeConstants.JCR_ALL);
setupPermission("/a/b", testPrincipal, false,
PrivilegeConstants.JCR_ALL);
Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Fri Nov 22 20:57:13 2013
@@ -103,7 +103,6 @@
org.apache.jackrabbit.test.api.version.MergeSubNodeTest
<!-- Permission Evaluation -->
-
org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testWriteOnParentWithNoReadePriv<!--
OAK-869 -->
org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testMoveRemoveSubTree
<!-- OAK-1115 blocked by OAK-783 -->
org.apache.jackrabbit.oak.jcr.security.authorization.VersionManagementTest#testRemoveVersion
<!-- OAK-168 -->
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java?rev=1544674&r1=1544673&r2=1544674&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Fri Nov 22 20:57:13 2013
@@ -423,7 +423,6 @@ public class WriteTest extends AbstractE
}
@Test
- @Ignore("OAK-869") // FIXME: OAK-869
public void testWriteOnParentWithNoReadePriv() throws Exception {
Node a = superuser.getNode(path).addNode("a");
allow(path, testUser.getPrincipal(), readWritePrivileges);
