Author: angela
Date: Mon Nov 25 16:43:05 2013
New Revision: 1545340
URL: http://svn.apache.org/r1545340
Log:
OAK-710 : PermissionValidator: Proper permission evaluation for moving/renaming
nodes (WIP)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
jackrabbit/oak/trunk/oak-jcr/pom.xml
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/WorkspaceImpl.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WorkspaceMoveTest.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/MoveAwarePermissionValidator.java
Mon Nov 25 16:43:05 2013
@@ -16,8 +16,6 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import java.util.HashSet;
-import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
@@ -33,6 +31,7 @@ import org.apache.jackrabbit.oak.spi.sec
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.state.NodeState;
+import org.apache.jackrabbit.util.Text;
/**
* MoveAwarePermissionValidator... TODO
@@ -50,9 +49,9 @@ public class MoveAwarePermissionValidato
moveCtx = new MoveContext(moveTracker, rootTreeBefore, rootTreeAfter);
}
- MoveAwarePermissionValidator(@Nullable Tree parentBefore,
- @Nullable Tree parentAfter,
- @Nullable TreePermission parentPermission,
+ MoveAwarePermissionValidator(@Nullable ImmutableTree parentBefore,
+ @Nullable ImmutableTree parentAfter,
+ @Nonnull TreePermission parentPermission,
@Nonnull PermissionValidator parentValidator)
{
super(parentBefore, parentAfter, parentPermission, parentValidator);
@@ -61,7 +60,10 @@ public class MoveAwarePermissionValidato
}
@Override
- PermissionValidator createValidator(@Nullable Tree parentBefore, @Nullable
Tree parentAfter, @Nullable TreePermission parentPermission, @Nonnull
PermissionValidator parentValidator) {
+ PermissionValidator createValidator(@Nullable ImmutableTree parentBefore,
+ @Nullable ImmutableTree parentAfter,
+ @Nonnull TreePermission
parentPermission,
+ @Nonnull PermissionValidator
parentValidator) {
if (moveCtx.containsMove(parentBefore, parentAfter)) {
return new MoveAwarePermissionValidator(parentBefore, parentAfter,
parentPermission, parentValidator);
} else {
@@ -69,9 +71,15 @@ public class MoveAwarePermissionValidato
}
}
- private Validator visibleValidator(ImmutableTree source, ImmutableTree
dest) {
- TreePermission tp =
getParentPermission().getChildPermission(source.getName(), source.unwrap());
- Validator validator = super.createValidator(source, dest, tp, this);
+ private Validator visibleValidator(@Nonnull ImmutableTree source,
+ @Nonnull ImmutableTree dest) {
+ // TODO improve: avoid calculating the 'before' permissions in case
the current parent permissions already point to the correct tree.
+ ImmutableTree parent = moveCtx.rootBefore.getTree("/");
+ TreePermission tp = getPermissionProvider().getTreePermission(parent,
TreePermission.EMPTY);
+ for (String n : source.getPath().split("/")) {
+ tp = tp.getChildPermission(n, parent.getChild(n).unwrap());
+ }
+ Validator validator = createValidator(source, dest, tp, this);
return new VisibleValidator(validator, true, false);
}
@@ -95,15 +103,13 @@ public class MoveAwarePermissionValidato
}
//--------------------------------------------------------------------------
- private static final class MoveContext {
+ private final class MoveContext {
private final MoveTracker moveTracker;
private final ImmutableRoot rootBefore;
private final ImmutableRoot rootAfter;
- private final Set<ImmutableTree> processed = new
HashSet<ImmutableTree>();
-
private MoveContext(@Nonnull MoveTracker moveTracker,
@Nonnull ImmutableTree treeBefore,
@Nonnull ImmutableTree treeAfter) {
@@ -120,52 +126,46 @@ public class MoveAwarePermissionValidato
// check permissions for adding the moved node at the target
location.
validator.checkPermissions(child, false, Permissions.ADD_NODE |
Permissions.NODE_TYPE_MANAGEMENT);
- if (processed.contains(child)) {
- return true;
- } else {
- // FIXME: respect and properly handle move-operations in the
subtree
- String sourcePath =
moveTracker.getOriginalSourcePath(child.getPath());
- if (sourcePath != null) {
- ImmutableTree source = rootBefore.getTree(sourcePath);
- if (source.exists()) {
- return diff(source, child, validator);
- } // FIXME: else...
- }
- return false;
+ // FIXME: respect and properly handle move-operations in the
subtree
+ String sourcePath =
moveTracker.getOriginalSourcePath(child.getPath());
+ if (sourcePath != null) {
+ ImmutableTree source = rootBefore.getTree(sourcePath);
+ if (source.exists()) {
+ ImmutableTree rootTree = rootBefore.getTree("/");
+ TreePermission tp =
getPermissionProvider().getTreePermission(rootTree, TreePermission.EMPTY);
+ for (String seg : Text.explode(sourcePath, '/')) {
+ tp = tp.getChildPermission(seg,
rootTree.getChild(seg).unwrap());
+ }
+ return diff(source, child, validator);
+ } // FIXME: else...
}
+ return false;
}
private boolean processDelete(ImmutableTree child,
MoveAwarePermissionValidator validator) throws CommitFailedException {
// check permissions for removing that node.
validator.checkPermissions(child, true, Permissions.REMOVE_NODE);
- if (processed.contains(child)) {
- return true;
- } else {
- // FIXME: respect and properly handle move-operations in the
subtree
- String destPath = moveTracker.getDestPath(child.getPath());
- if (destPath != null) {
- ImmutableTree dest = rootAfter.getTree(destPath);
- if (dest.exists()) {
- return diff(child, dest, validator);
- } // FIXME: else...
- }
-
- return false;
+ // FIXME: respect and properly handle move-operations in the
subtree
+ String destPath = moveTracker.getDestPath(child.getPath());
+ if (destPath != null) {
+ ImmutableTree dest = rootAfter.getTree(destPath);
+ if (dest.exists()) {
+ return diff(child, dest, validator);
+ } // FIXME: else...
}
+
+ return false;
}
private boolean diff(ImmutableTree source, ImmutableTree dest,
MoveAwarePermissionValidator validator) throws
CommitFailedException {
Validator nextValidator = validator.visibleValidator(source, dest);
CommitFailedException e = EditorDiff.process(nextValidator ,
source.unwrap(), dest.unwrap());
- if (e == null) {
- processed.add(source);
- processed.add(dest);
- return true;
- } else {
+ if (e != null) {
throw e;
}
+ return true;
}
}
}
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
Mon Nov 25 16:43:05 2013
@@ -25,6 +25,7 @@ import org.apache.jackrabbit.oak.api.Com
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.core.AbstractTree;
+import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.lock.LockConstants;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
@@ -47,15 +48,16 @@ import static org.apache.jackrabbit.oak.
*/
class PermissionValidator extends DefaultValidator {
- private final Tree parentBefore;
- private final Tree parentAfter;
+ private final ImmutableTree parentBefore;
+ private final ImmutableTree parentAfter;
private final TreePermission parentPermission;
private final PermissionProvider permissionProvider;
private final PermissionValidatorProvider provider;
private final long permission;
- PermissionValidator(@Nonnull Tree rootTreeBefore, @Nonnull Tree
rootTreeAfter,
+ PermissionValidator(@Nonnull ImmutableTree rootTreeBefore,
+ @Nonnull ImmutableTree rootTreeAfter,
@Nonnull PermissionProvider permissionProvider,
@Nonnull PermissionValidatorProvider provider) {
this.parentBefore = rootTreeBefore;
@@ -68,7 +70,8 @@ class PermissionValidator extends Defaul
permission =
Permissions.getPermission(PermissionUtil.getPath(parentBefore, parentAfter),
Permissions.NO_PERMISSION);
}
- PermissionValidator(@Nullable Tree parentBefore, @Nullable Tree
parentAfter,
+ PermissionValidator(@Nullable ImmutableTree parentBefore,
+ @Nullable ImmutableTree parentAfter,
@Nullable TreePermission parentPermission,
@Nonnull PermissionValidator parentValidator) {
this.parentBefore = parentBefore;
@@ -100,7 +103,6 @@ class PermissionValidator extends Defaul
if (AbstractTree.OAK_CHILD_ORDER.equals(name)) {
String childName = ChildOrderDiff.firstReordered(before, after);
if (childName != null) {
- Tree child = parentAfter.getChild(childName);
checkPermissions(parentAfter, false,
Permissions.MODIFY_CHILD_NODE_COLLECTION);
} // else: no re-order but only internal update
} else if (isImmutableProperty(name)) {
@@ -120,7 +122,7 @@ class PermissionValidator extends Defaul
@Override
public Validator childNodeAdded(String name, NodeState after) throws
CommitFailedException {
- Tree child = checkNotNull(parentAfter.getChild(name));
+ ImmutableTree child = checkNotNull(parentAfter.getChild(name));
if (isVersionstorageTree(child)) {
child = getVersionHistoryTree(child);
if (child == null) {
@@ -134,14 +136,14 @@ class PermissionValidator extends Defaul
@Override
public Validator childNodeChanged(String name, NodeState before, NodeState
after) throws CommitFailedException {
- Tree childBefore = parentBefore.getChild(name);
- Tree childAfter = parentAfter.getChild(name);
- return nextValidator(childBefore, childAfter,
permissionProvider.getTreePermission(childBefore, parentPermission));
+ ImmutableTree childBefore = parentBefore.getChild(name);
+ ImmutableTree childAfter = parentAfter.getChild(name);
+ return nextValidator(childBefore, childAfter,
parentPermission.getChildPermission(name, before));
}
@Override
public Validator childNodeDeleted(String name, NodeState before) throws
CommitFailedException {
- Tree child = checkNotNull(parentBefore.getChild(name));
+ ImmutableTree child = parentBefore.getChild(name);
if (isVersionstorageTree(child)) {
throw new CommitFailedException(
ACCESS, 22, "Attempt to remove versionstorage node: Fail
to verify delete permission.");
@@ -151,8 +153,9 @@ class PermissionValidator extends Defaul
//-------------------------------------------------< internal / private
>---
@Nonnull
- PermissionValidator createValidator(@Nullable Tree parentBefore, @Nullable
Tree parentAfter,
- @Nullable TreePermission
parentPermission,
+ PermissionValidator createValidator(@Nullable ImmutableTree parentBefore,
+ @Nullable ImmutableTree parentAfter,
+ @Nonnull TreePermission
parentPermission,
@Nonnull PermissionValidator
parentValidator) {
return new PermissionValidator(parentBefore, parentAfter,
parentPermission, parentValidator);
}
@@ -168,11 +171,12 @@ class PermissionValidator extends Defaul
}
@Nonnull
- TreePermission getParentPermission() {
- return parentPermission;
+ PermissionProvider getPermissionProvider() {
+ return permissionProvider;
}
- Validator checkPermissions(@Nonnull Tree tree, boolean isBefore,
+ @CheckForNull
+ Validator checkPermissions(@Nonnull ImmutableTree tree, boolean isBefore,
long defaultPermission) throws
CommitFailedException {
long toTest = getPermission(tree, defaultPermission);
if (Permissions.isRepositoryPermission(toTest)) {
@@ -181,7 +185,7 @@ class PermissionValidator extends Defaul
}
return null; // no need for further validation down the subtree
} else {
- TreePermission tp = permissionProvider.getTreePermission(tree,
parentPermission);
+ TreePermission tp =
parentPermission.getChildPermission(tree.getName(), tree.unwrap());
if (!tp.isGranted(toTest)) {
throw new CommitFailedException(ACCESS, 0, "Access denied");
}
@@ -195,7 +199,8 @@ class PermissionValidator extends Defaul
}
}
- private void checkPermissions(@Nonnull Tree parent, @Nonnull PropertyState
property,
+ private void checkPermissions(@Nonnull ImmutableTree parent,
+ @Nonnull PropertyState property,
long defaultPermission) throws
CommitFailedException {
if (NodeStateUtils.isHidden(property.getName())) {
// ignore any hidden properties (except for OAK_CHILD_ORDER which
has
@@ -215,7 +220,10 @@ class PermissionValidator extends Defaul
}
}
- private Validator nextValidator(@Nullable Tree parentBefore, @Nullable
Tree parentAfter, @Nonnull TreePermission treePermission) {
+ @Nonnull
+ private Validator nextValidator(@Nullable ImmutableTree parentBefore,
+ @Nullable ImmutableTree parentAfter,
+ @Nonnull TreePermission treePermission) {
Validator validator = createValidator(parentBefore, parentAfter,
treePermission, this);
return new VisibleValidator(validator, true, false);
}
@@ -313,7 +321,8 @@ class PermissionValidator extends Defaul
VersionConstants.REP_VERSIONSTORAGE.equals(TreeUtil.getPrimaryTypeName(tree));
}
- private Tree getVersionHistoryTree(Tree versionstorageTree) throws
CommitFailedException {
+ @CheckForNull
+ private ImmutableTree getVersionHistoryTree(Tree versionstorageTree)
throws CommitFailedException {
Tree versionHistory = null;
for (Tree child : versionstorageTree.getChildren()) {
if
(VersionConstants.NT_VERSIONHISTORY.equals(TreeUtil.getPrimaryTypeName(child)))
{
@@ -324,6 +333,6 @@ class PermissionValidator extends Defaul
throw new CommitFailedException("Misc", 0, "unexpected node");
}
}
- return versionHistory;
+ return (ImmutableTree) versionHistory;
}
}
Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Mon Nov 25 16:43:05 2013
@@ -103,7 +103,6 @@
org.apache.jackrabbit.test.api.version.MergeSubNodeTest
<!-- Permission Evaluation -->
-
org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testMoveRemoveSubTree
<!-- OAK-1115 blocked by OAK-783 -->
org.apache.jackrabbit.oak.jcr.security.authorization.VersionManagementTest#testRemoveVersion
<!-- OAK-168 -->
org.apache.jackrabbit.oak.jcr.security.authorization.VersionManagementTest#testRemoveVersion2
<!-- OAK-168 -->
@@ -113,6 +112,8 @@
org.apache.jackrabbit.oak.jcr.security.authorization.CopyTest#testCopyInvisibleProperty
<!-- OAK-920 -->
org.apache.jackrabbit.oak.jcr.security.authorization.CopyTest#testCopyInvisibleAcContent
<!-- OAK-920 -->
+
org.apache.jackrabbit.oak.jcr.security.authorization.SessionMoveTest#testMoveAddSubTreeWithRestriction
<!-- OAK-1223 -->
+
<!-- User Management -->
org.apache.jackrabbit.oak.jcr.security.user.RefreshTest#testAuthorizableGetProperty
<!-- OAK-1124 -->
Modified:
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/SessionDelegate.java
Mon Nov 25 16:43:05 2013
@@ -16,14 +16,8 @@
*/
package org.apache.jackrabbit.oak.jcr.delegate;
-import static com.google.common.base.Preconditions.checkNotNull;
-import static com.google.common.collect.Lists.newArrayList;
-import static org.apache.jackrabbit.oak.commons.PathUtils.denotesRoot;
-import static org.apache.jackrabbit.oak.commons.PathUtils.elements;
-
import java.io.IOException;
import java.util.List;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.ItemExistsException;
@@ -39,7 +33,6 @@ import org.apache.jackrabbit.oak.api.Que
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
-import org.apache.jackrabbit.oak.jcr.security.AccessManager;
import org.apache.jackrabbit.oak.jcr.session.RefreshStrategy;
import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
@@ -50,7 +43,6 @@ import org.apache.jackrabbit.oak.spi.com
import org.apache.jackrabbit.oak.spi.commit.FailingValidator;
import org.apache.jackrabbit.oak.spi.commit.SubtreeExcludingValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
-import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.slf4j.Logger;
@@ -58,6 +50,11 @@ import org.slf4j.LoggerFactory;
import org.slf4j.Marker;
import org.slf4j.MarkerFactory;
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.collect.Lists.newArrayList;
+import static org.apache.jackrabbit.oak.commons.PathUtils.denotesRoot;
+import static org.apache.jackrabbit.oak.commons.PathUtils.elements;
+
/**
* TODO document
*/
@@ -379,12 +376,13 @@ public class SessionDelegate {
/**
* Move a node
+ *
* @param srcPath oak path to the source node to copy
* @param destPath oak path to the destination
* @param transientOp whether or not to perform the move in transient
space
* @throws RepositoryException
*/
- public void move(String srcPath, String destPath, boolean transientOp,
AccessManager accessManager)
+ public void move(String srcPath, String destPath, boolean transientOp)
throws RepositoryException {
Root moveRoot = transientOp ? root : contentSession.getLatestRoot();
@@ -408,8 +406,6 @@ public class SessionDelegate {
throw new PathNotFoundException(srcPath);
}
- accessManager.checkPermissions(destPath,
Permissions.getString(Permissions.NODE_TYPE_MANAGEMENT));
-
try {
if (!moveRoot.move(srcPath, destPath)) {
throw new RepositoryException("Cannot move node at " + srcPath
+ " to " + destPath);
Modified:
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
Mon Nov 25 16:43:05 2013
@@ -16,16 +16,12 @@
*/
package org.apache.jackrabbit.oak.jcr.session;
-import static com.google.common.collect.Sets.newTreeSet;
-import static org.apache.jackrabbit.oak.commons.PathUtils.getParentPath;
-
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.AccessControlException;
import java.util.Collections;
import java.util.Set;
-
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
@@ -60,8 +56,8 @@ import org.apache.jackrabbit.oak.jcr.del
import org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate;
import org.apache.jackrabbit.oak.jcr.delegate.PropertyDelegate;
import org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate;
-import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
import org.apache.jackrabbit.oak.jcr.security.AccessManager;
+import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
import
org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import
org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
@@ -70,6 +66,9 @@ import org.slf4j.LoggerFactory;
import org.xml.sax.ContentHandler;
import org.xml.sax.SAXException;
+import static com.google.common.collect.Sets.newTreeSet;
+import static org.apache.jackrabbit.oak.commons.PathUtils.getParentPath;
+
/**
* TODO document
*/
@@ -362,8 +361,7 @@ public class SessionImpl implements Jack
@Override
public Void perform() throws RepositoryException {
- sd.move(srcOakPath, destOakPath, true,
- sessionContext.getAccessManager());
+ sd.move(srcOakPath, destOakPath, true);
return null;
}
});
Modified:
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/WorkspaceImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/WorkspaceImpl.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/WorkspaceImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/WorkspaceImpl.java
Mon Nov 25 16:43:05 2013
@@ -16,12 +16,8 @@
*/
package org.apache.jackrabbit.oak.jcr.session;
-import static org.apache.jackrabbit.oak.commons.PathUtils.getParentPath;
-import static
org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants.NODE_TYPES_PATH;
-
import java.io.IOException;
import java.io.InputStream;
-
import javax.annotation.Nonnull;
import javax.jcr.InvalidSerializedDataException;
import javax.jcr.NamespaceRegistry;
@@ -56,6 +52,9 @@ import org.xml.sax.ContentHandler;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import static org.apache.jackrabbit.oak.commons.PathUtils.getParentPath;
+import static
org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants.NODE_TYPES_PATH;
+
/**
* TODO document
*/
@@ -186,8 +185,7 @@ public class WorkspaceImpl implements Ja
SessionImpl.checkIndexOnName(sessionContext, destAbsPath);
- sessionDelegate.move(
- srcOakPath, destOakPath, false,
sessionContext.getAccessManager());
+ sessionDelegate.move(srcOakPath, destOakPath, false);
}
@Override
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
Mon Nov 25 16:43:05 2013
@@ -23,6 +23,7 @@ import javax.jcr.Session;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.junit.Ignore;
import org.junit.Test;
/**
@@ -43,7 +44,7 @@ public class SessionMoveTest extends Abs
@Test
public void testMoveAndRemoveSubTree() throws Exception {
allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
- allow(siblingPath, privilegesFromNames(new String[] {
+ allow(siblingPath, privilegesFromNames(new String[]{
Privilege.JCR_ADD_CHILD_NODES,
Privilege.JCR_NODE_TYPE_MANAGEMENT}));
@@ -67,7 +68,7 @@ public class SessionMoveTest extends Abs
allow(path, privilegesFromNames(new String[] {
Privilege.JCR_REMOVE_CHILD_NODES,
Privilege.JCR_REMOVE_NODE}));
- allow(siblingPath, privilegesFromNames(new String[] {
+ allow(siblingPath, privilegesFromNames(new String[]{
Privilege.JCR_ADD_CHILD_NODES,
Privilege.JCR_NODE_TYPE_MANAGEMENT}));
deny(testSession.getNode(nodePath3).getPath(),
privilegesFromName(Privilege.JCR_REMOVE_NODE));
@@ -90,7 +91,9 @@ public class SessionMoveTest extends Abs
public void testMoveAndRemoveSubTree3() throws Exception {
allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
- allow(siblingPath, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ allow(siblingPath, privilegesFromNames(new String[] {
+ PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT
+ }));
testSession.move(childNPath, siblingDestPath);
@@ -102,17 +105,114 @@ public class SessionMoveTest extends Abs
}
@Test
- public void testMoveAndRemoveProperty() throws Exception {
- // TODO
+ public void testMoveRemoveSubTreeWithRestriction() throws Exception {
+ /* allow READ/WRITE privilege for testUser at 'path' */
+ allow(path, testUser.getPrincipal(), readWritePrivileges);
+ /* deny REMOVE_NODE privileges at subtree. */
+ deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_NODE),
createGlobRestriction("*/"+nodeName3));
+
+ assertTrue(testSession.nodeExists(childNPath));
+ assertTrue(testSession.hasPermission(childNPath,
Session.ACTION_REMOVE));
+ assertTrue(testSession.hasPermission(childNPath2,
Session.ACTION_ADD_NODE));
+
+ testSession.move(childNPath, childNPath2 + "/dest");
+ Node dest = testSession.getNode(childNPath2 + "/dest");
+ dest.getNode(nodeName3).remove();
+
+ try {
+ testSession.save();
+ fail("Removing child node must be denied.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
}
@Test
- public void testMoveAndAddReplacementAtSource() throws Exception {
+ public void testMoveAndAddSubTree() throws Exception {
+ allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
+ allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
+ allow(siblingPath, privilegesFromNames(new String[] {
+ PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT
+ }));
+
+ testSession.move(childNPath, siblingDestPath);
+
+ Node moved = testSession.getNode(siblingDestPath);
+ Node child = moved.getNode(nodeName3);
+ child.addNode(nodeName4);
+
+ try {
+ testSession.save();
+ fail("Adding child node at moved node must be denied: no
add_child_node privilege at original location.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testMoveAndAddSubTree2() throws Exception {
+ allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
+ allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
+ allow(siblingPath, privilegesFromNames(new String[] {
+ PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT
+ }));
+ allow(nodePath3, privilegesFromName(Privilege.JCR_ADD_CHILD_NODES));
+
+ testSession.move(childNPath, siblingDestPath);
+
+ Node moved = testSession.getNode(siblingDestPath);
+ Node child = moved.getNode(nodeName3);
+ child.addNode(nodeName4);
+
+ testSession.save();
+ }
+
+ @Test
+ public void testMoveAndAddSubTree3() throws Exception {
+ allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
+ allow(childNPath, privilegesFromNames(new String[] {
+ Privilege.JCR_REMOVE_NODE, Privilege.JCR_ADD_CHILD_NODES
+ }));
+ allow(siblingPath, privilegesFromNames(new String[] {
+ PrivilegeConstants.JCR_ADD_CHILD_NODES,
PrivilegeConstants.JCR_NODE_TYPE_MANAGEMENT
+ }));
+
+ testSession.move(childNPath, siblingDestPath);
+
+ Node moved = testSession.getNode(siblingDestPath);
+ Node child = moved.getNode(nodeName3);
+ child.addNode(nodeName4);
+
+ testSession.save();
+ }
+
+ @Ignore("OAK-1223") // FIXME: OAK-1223
+ @Test
+ public void testMoveAddSubTreeWithRestriction() throws Exception {
+ /* allow READ/WRITE privilege for testUser at 'path' */
+ allow(path, testUser.getPrincipal(), readWritePrivileges);
+ /* deny ADD_CHILD_NODES privileges at subtree. */
+ deny(path, privilegesFromName(PrivilegeConstants.JCR_ADD_CHILD_NODES),
createGlobRestriction("*/"+nodeName3));
+
+ testSession.move(childNPath, childNPath2 + "/dest");
+ Node dest = testSession.getNode(childNPath2 + "/dest");
+ dest.getNode(nodeName3).addNode(nodeName4);
+
+ try {
+ testSession.save();
+ fail("Adding child node must be denied.");
+ } catch (AccessDeniedException e) {
+ // success
+ }
+ }
+
+ @Test
+ public void testMoveAndRemoveProperty() throws Exception {
// TODO
}
@Test
- public void testMoveAndAddSubTree() throws Exception {
+ public void testMoveAndAddReplacementAtSource() throws Exception {
// TODO
}
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WorkspaceMoveTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WorkspaceMoveTest.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WorkspaceMoveTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WorkspaceMoveTest.java
Mon Nov 25 16:43:05 2013
@@ -19,12 +19,9 @@ package org.apache.jackrabbit.oak.jcr.se
import javax.jcr.RepositoryException;
import javax.jcr.Session;
-import org.junit.Ignore;
-
/**
* Permission evaluation tests for move operations.
*/
-@Ignore("OAK-710 : permission validator doesn't detect move")
public class WorkspaceMoveTest extends AbstractMoveTest {
@Override
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java?rev=1545340&r1=1545339&r2=1545340&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Mon Nov 25 16:43:05 2013
@@ -836,33 +836,4 @@ public class WriteTest extends AbstractE
superuser.save();
}
}
-
- @Ignore("OAK-1115")
- @Test
- public void testMoveRemoveSubTree() throws Exception {
- Node subtree = superuser.getNode(childNPath).addNode(nodeName3);
- superuser.save();
-
- String subtreePath = subtree.getPath();
-
- /* allow READ/WRITE privilege for testUser at 'path' */
- allow(path, testUser.getPrincipal(), readWritePrivileges);
- /* deny READ/REMOVE property privileges at subtree. */
- deny(path, privilegesFromNames(new String[]
{PrivilegeConstants.JCR_REMOVE_NODE}), createGlobRestriction("*/"+nodeName3));
-
- assertTrue(testSession.nodeExists(childNPath));
- assertTrue(testSession.hasPermission(childNPath,
Session.ACTION_REMOVE));
- assertTrue(testSession.hasPermission(childNPath2,
Session.ACTION_ADD_NODE));
-
- testSession.move(childNPath, childNPath2 + "/dest");
- Node dest = testSession.getNode(childNPath2 + "/dest");
- dest.getNode(nodeName3).remove();
-
- try {
- testSession.save();
- fail("Removing child node must be denied.");
- } catch (AccessDeniedException e) {
- // success
- }
- }
}
\ No newline at end of file
