[
https://issues.apache.org/jira/browse/OAK-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13679390#comment-13679390
]
Jukka Zitting commented on OAK-842:
-----------------------------------
bq. E.g. TreeImpl#updateChildOrder() assumes it has access to all child nodes
through the NodeBuilder.
We could easily give TreeImpl also the raw NodeBuilder in addition to the
SecureNodeBuilder instance. Methods like {{updateChildOrder()}} can (/should)
use the raw builder as long as they don't accidentally leak read-protected
information to the client.
> Incorrect interaction of orderable child nodes with access control
> -------------------------------------------------------------------
>
> Key: OAK-842
> URL: https://issues.apache.org/jira/browse/OAK-842
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Reporter: Michael Dürig
>
> Working on OAK-813 revealed problems with the interaction of the current
> implementation of orderable nodes and access control:
> * {{TreeImpl#getOrderedChildNames}} returns all child names regardless
> whether they are accessible in the current session or not. This might cause
> errors further down the line like exposure of the existence of child nodes.
> * {{TreeImpl.remove}} doesn't (can't) update the child order property if the
> parent is not accessible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
