[jira] [Commented] (OAK-711) PermissionValidator: Proper permission handling for jcr:nodetypeManagement privilege

Thu, 25 Apr 2013 03:36:18 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13641638#comment-13641638
 ] 

angela commented on OAK-711:
----------------------------

as we don't the ability for solution a) in decided to move forward
and started implementing the following logic, which we can still revisit
later on:

- Node#addNode and Node#canAddMixin perform an explicit permission check
  as this used to be the case in jackrabbit core

- The permission validator applies the following logic for jcr:primaryType:
  a) propertyAdded   -> omit check
  b) propertyChanged -> check for NODE_TYPE_MANAGEMENT permission
  c) propertyDeleted -> omit check as this is always associated with removal of 
the node

- The permission validator applies the following logic for jcr:mixinTypes:
  a) propertyAdded   -> check for NODE_TYPE_MANAGEMENT
  b) propertyChanged -> check for NODE_TYPE_MANAGEMENT
  c) propertyDeleted -> check for NODE_TYPE_MANAGEMENT

consequently i enabled the NodeTypeManagementTest and explicitly listed
those tests that are currently failing in the pom.xml

missing for this issue to be resolved is a backwards compatible
handling for Move and Copy.
the other excluded tests are waiting for OAK-767 and OAK-773
                
> PermissionValidator: Proper permission handling for jcr:nodetypeManagement 
> privilege
> ------------------------------------------------------------------------------------
>
>                 Key: OAK-711
>                 URL: https://issues.apache.org/jira/browse/OAK-711
>             Project: Jackrabbit Oak
>          Issue Type: Sub-task
>          Components: core
>            Reporter: angela
>
> The jcr specification defines jcr:nodeTypeManagement privilege for all
> JCR API calls that set jcr:primaryType and jcr:mixinType properties.
> however, on the oak level we lack the ability to distinguish between
> system internal and user supplied modification of those properties.
> possible solution:
> - introduce ability to distinguish between API call and system internal mod
> - only enforce permission in oak-jcr (backwards compatibility issue as it
>   used to be checked upon save only)
> - violate spec and drop explicit check for jcr:nodeTypeManagement for those
>   cases where it's ambiguous in order not to have existing code failing.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to