[
https://issues.apache.org/jira/browse/OAK-2933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568034#comment-14568034
]
Tobias Bocanegra commented on OAK-2933:
---------------------------------------
the problem happens in the
{{PermissionValidator#checkPermissions(ImmutableTree, PropertyState, long)}}
where it checks the permission for the added property:
{code}
isGranted = parentPermission.isGranted(toTest, property);
{code}
the parentPermission still holds the source tree
{{/testroot/node1/node2/node3}} which does not have add-property permissions. I
think MoveAwarePermissionValidator needs to know the parentPermission of the
before and after trees.
The MoveAwarePermissionValidator is broken such as it does not use the correct
TreePermissions.
The PermissionEntryProviderImpl with cache works, because it can lookup the
entries in the wrong tree. i.e. the validator checks of add_property on
{{/testroot/node1/node2/node3}} instead of {{/testroot/node2/destination}}.
coincidentally, {{/testroot/node1}} has a rep:write but the source tree is only
partially loaded, for example a {{/testroot/node1.hasChild(REP_POLICY)}} fails.
i.e the changing the following works:
{code}
@@ -134,9 +136,7 @@ class PermissionEntryProviderImpl implements
PermissionEntryProvider {
Collection<PermissionEntry> entries =
pathEntryMap.get(accessControlledTree.getPath());
return (entries != null) ? entries :
Collections.<PermissionEntry>emptyList();
} else {
- return
(accessControlledTree.hasChild(AccessControlConstants.REP_POLICY)) ?
- loadEntries(accessControlledTree.getPath()) :
- Collections.<PermissionEntry>emptyList();
+ return loadEntries(accessControlledTree.getPath());
}
}
{code}
> AccessDenied when modifying transiently moved item with too many ACEs
> ---------------------------------------------------------------------
>
> Key: OAK-2933
> URL: https://issues.apache.org/jira/browse/OAK-2933
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.13
> Reporter: Tobias Bocanegra
> Assignee: Tobias Bocanegra
>
> If at least the following preconditions are fulfilled, saving a moved item
> fails with access denied:
> 1. there are more PermissionEntries in the PermissionEntryCache than the
> configured EagerCacheSize
> 2. an node is moved to a location where the user has write access through a
> group membership
> 3. a property is added to the transiently moved item
> For example:
> 1. set the *eagerCacheSize* to '0'
> 2. create new group *testgroup* and user *testuser*
> 3. make *testuser* member of *testgroup*
> 4. create nodes {{/testroot/a}} and {{/testroot/a/b}} and {{/testroot/a/c}}
> 5. allow *testgroup* {{rep:write}} on {{/testroot/a}}
> 6. as *testuser* create {{/testroot/a/b/item}} (to verify that the user has
> write access)
> 7. as *testuser* move {{/testroot/a/b/item}} to {{/testroot/a/c/item}}
> 8. {{save()}} -> works
> 9. as *testuser* move {{/testroot/a/c/item}} back to {{/testroot/a/b/item}}
> AND add new property to the transient {{/testroot/a/b/item}}
> 10. {{save()}} -> access denied
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
