[
https://issues.apache.org/jira/browse/OAK-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13679489#comment-13679489
]
Jukka Zitting commented on OAK-842:
-----------------------------------
An interesting alternative: We could declare that all such internal data should
always be placed under an ":internal" child node. The normal access control
checks wouldn't apply to it, but {{TreeImpl}} and friends would always filter
out client access to content under that subtree.
> Incorrect interaction of orderable child nodes with access control
> -------------------------------------------------------------------
>
> Key: OAK-842
> URL: https://issues.apache.org/jira/browse/OAK-842
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Reporter: Michael Dürig
>
> Working on OAK-813 revealed problems with the interaction of the current
> implementation of orderable nodes and access control:
> * {{TreeImpl#getOrderedChildNames}} returns all child names regardless
> whether they are accessible in the current session or not. This might cause
> errors further down the line like exposure of the existence of child nodes.
> * {{TreeImpl.remove}} doesn't (can't) update the child order property if the
> parent is not accessible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
