[
https://issues.apache.org/jira/browse/OAK-711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13629124#comment-13629124
]
angela commented on OAK-711:
----------------------------
org.apache.jackrabbit.oak.jcr.security.authorization.NodeTypeManagementTest
illustates the issues.
> PermissionValidator: Proper permission handling for jcr:nodetypeManagement
> privilege
> ------------------------------------------------------------------------------------
>
> Key: OAK-711
> URL: https://issues.apache.org/jira/browse/OAK-711
> Project: Jackrabbit Oak
> Issue Type: Sub-task
> Components: core
> Reporter: angela
>
> The jcr specification defines jcr:nodeTypeManagement privilege for all
> JCR API calls that set jcr:primaryType and jcr:mixinType properties.
> however, on the oak level we lack the ability to distinguish between
> system internal and user supplied modification of those properties.
> possible solution:
> - introduce ability to distinguish between API call and system internal mod
> - only enforce permission in oak-jcr (backwards compatibility issue as it
> used to be checked upon save only)
> - violate spec and drop explicit check for jcr:nodeTypeManagement for those
> cases where it's ambiguous in order not to have existing code failing.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
