[
https://issues.apache.org/jira/browse/OAK-766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13633977#comment-13633977
]
Jukka Zitting commented on OAK-766:
-----------------------------------
bq. another possibility was to drop the SecureNodeState and check accessibility
on TreeImpl. in other words: let the TreeLocation operate on the un-checked
NodeState and only perform check for accessibility once the Tree/Property is
really accessed.
If I understand correctly, that's the way Michael's proposal would also work:
the check for accessibility would be done only when the Tree/Property is really
accessed. That's the idea behind the "exists()" mechanism from OAK-709; that we
can traverse a path one element at a time without having to check for access
rights on any of the intermediate nodes.
> TreeImpl#*Location: unable retrieve child location if access to parent is
> denied
> --------------------------------------------------------------------------------
>
> Key: OAK-766
> URL: https://issues.apache.org/jira/browse/OAK-766
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Reporter: angela
> Assignee: Michael Dürig
> Attachments: OAK-766-patch.txt
>
>
> as a consequence of OAK-709 we now have an issue with the way
> SessionDelegate and Root#getLocation access a node in the hierarchy
> which has an ancestor which is not accessible.
> specifically RootImpl#getLocation will be served a NullLocation for the
> first ancestor which is not accessible and consequently any accessible
> child node cannot be accessed.
> in order to reproduce the issue you may:
> - change AccessControlConfigurationImpl to use PermissionProviderImpl instead
> of the tmp solution
> - and run o.a.j.oak.jcr.security.authorization.ReadTest#testReadDenied
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
