Author: angela
Date: Fri Oct 16 12:43:12 2020
New Revision: 1882583
URL: http://svn.apache.org/viewvc?rev=1882583&view=rev
Log:
OAK-9183 : verify 'Mapping API Calls to Privileges' wrt to move operations
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md?rev=1882583&r1=1882582&r2=1882583&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
Fri Oct 16 12:43:12 2020
@@ -107,7 +107,7 @@ of the special index definition.
| API Call | Privilege(s)
|
|----------------------------------------------|--------------------------------|
-| `Session.move` | `jcr:removeChildNodes`
(source parent) and `jcr:addChildNodes` (target parent) |
+| `Session.move` | same privileges as if the
node to move would be removed and created using regular API calls (items in the
subtree are not checked) |
| `Session.importXml` | same privileges as if items
would be created using regular API calls |
##### Access Control Management
@@ -182,7 +182,7 @@ of the special index definition.
| API Call | Privilege(s)
|
|----------------------------------------------|--------------------------------|
-| `Workspace.move` | `jcr:removeChildNodes`
(source parent) and `jcr:addChildNodes` (target parent) |
+| `Workspace.move` | same privileges as if the
node to move would be removed and created using regular API calls (items in the
subtree are not checked) |
| `Workspace.copy` | same privileges as if items
would be created using regular API calls |
| `Workspace.importXml` | same privileges as if items
would be created using regular API calls |
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java?rev=1882583&r1=1882582&r2=1882583&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AbstractMoveTest.java
Fri Oct 16 12:43:12 2020
@@ -138,6 +138,31 @@ public abstract class AbstractMoveTest e
}
@Test
+ public void testMoveMissingNtManagement() throws Exception {
+ // not granting jcr:nodeTypeManagement
+ allow(path, privilegesFromNames(new String[] {
+ Privilege.JCR_ADD_CHILD_NODES,
+ Privilege.JCR_REMOVE_CHILD_NODES,
+ Privilege.JCR_REMOVE_NODE}));
+ try {
+ move(childNPath, destPath);
+ fail("Move requires jcr:nodeTypeManagement privilege at
destination.");
+ } catch (AccessDeniedException e) {
+ // success.
+ }
+ }
+
+ @Test
+ public void testMoveMissingPrivilegesInSubtree() throws Exception {
+ // grant privileges required to move 'childNPath' to 'destPath'
+ allow(path, privilegesFromName(PrivilegeConstants.REP_WRITE));
+ // revoke privileges such that only 'childNPath' can be removed and
added
+ deny(childNPath, modifyChildCollection);
+ deny(nodePath3, privilegesFromNames(new String[]
{Privilege.JCR_REMOVE_NODE}));
+ move(childNPath, destPath);
+ }
+
+ @Test
public void testMissingJcrAddChildNodesAtDestParent() throws Exception {
allow(path, privilegesFromNames(new String[] {
Privilege.JCR_ADD_CHILD_NODES,
