[jira] [Updated] (OAK-1115) Remove of Subtree after Move is not subjected to permission validation

Thu, 07 Nov 2013 04:10:05 -0800 

     [ 
https://issues.apache.org/jira/browse/OAK-1115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Marth updated OAK-1115:
-------------------------------

    Fix Version/s: 0.15

> Remove of Subtree after Move is not subjected to permission validation
> ----------------------------------------------------------------------
>
>                 Key: OAK-1115
>                 URL: https://issues.apache.org/jira/browse/OAK-1115
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core
>            Reporter: angela
>            Assignee: angela
>            Priority: Critical
>             Fix For: 0.15
>
>
> the following test passes in Jackrabbit-Core but fails in OAK:
> {code}
> @Test
>     public void testMoveRemoveSubTree() throws Exception {
>         superuser.getNode(childNPath).addNode(nodeName3);
>         superuser.save();
>         /* allow READ/WRITE privilege for testUser at 'path' */
>         givePrivileges(path, privilegesFromNames(new String[] 
> {Privilege.JCR_READ, "rep:write"}), Collections.<String, Value>emptyMap());
>         /* deny READ/REMOVE property privileges at subtree. */
>         withdrawPrivileges(path, privilegesFromNames(new String[] 
> {Privilege.JCR_REMOVE_NODE}), Collections.singletonMap("rep:glob", 
> superuser.getValueFactory().createValue("*/"+nodeName3)));
>         Session testSession = getTestSession();
>         assertTrue(testSession.nodeExists(childNPath));
>         assertTrue(testSession.hasPermission(childNPath, 
> Session.ACTION_REMOVE));
>         assertTrue(testSession.hasPermission(childNPath2, 
> Session.ACTION_ADD_NODE));
>         testSession.move(childNPath, childNPath2 + "/dest");
>         Node dest = testSession.getNode(childNPath2 + "/dest");
>         dest.getNode(nodeName3).remove();
>         try {
>             testSession.save();
>             fail("Removing child node must be denied.");
>         } catch (AccessDeniedException e) {
>             // success
>         }
>     }
> {code}
> this is a critical security issue as it moving around the parent is 
> sufficient in order to be able to remove a node that was otherwise not 
> removable due to limited permissions.
> Afaik this behavior is caused by a limitation in the Diff process which 
> doesn't allow to identify the move and thus makes it impossible to find out 
> if that the subtree has been removed.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to