[
https://issues.apache.org/jira/browse/OAK-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893373#comment-13893373
]
angela commented on OAK-842:
----------------------------
i just stumbled over this issue again while working on OAK-920.
to summarize (at least part of) the problem: Tree#getChildren() will for a tree
with orderable children will *not* filter out the non-accessible child but will
instead return tree instances that don't exist.
> Incorrect interaction of orderable child nodes with permission evaluation
> -------------------------------------------------------------------------
>
> Key: OAK-842
> URL: https://issues.apache.org/jira/browse/OAK-842
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core, security
> Reporter: Michael Dürig
> Fix For: 0.17
>
>
> Working on OAK-813 revealed problems with the interaction of the current
> implementation of orderable nodes and access control:
> * {{TreeImpl#getOrderedChildNames}} returns all child names regardless
> whether they are accessible in the current session or not. This might cause
> errors further down the line like exposure of the existence of child nodes.
> * {{TreeImpl.remove}} doesn't (can't) update the child order property if the
> parent is not accessible.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
