[
https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Piovesana updated OAK-4632:
---------------------------------
Description:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
If i give to _userA_ the privilege to remove the node:
{code:java}
AccessControlUtils.addAccessControlEntry(session, folder.getPath(),
userA.getPrincipal(), new String[]{Privilege.JCR_REMOVE_CHILD_NODES}, true);
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ,
Privilege.JCR_REMOVE_NODE}, true);
{code}
nothing changes.
Is this the expected behaviour? How can i give to _userA_ the privilege to
completely remove the node (remove it also for _admin_)?
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
was:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
If i give to _userA_ the privilege to remove the node
(_Privilege.JCR_REMOVE_NODE_) nothing changes.
Is this the expected behaviour? How can i give to _userA_ the privilege to
completely remove the node (remove it also for _admin_)?
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
> remove node management
> ----------------------
>
> Key: OAK-4632
> URL: https://issues.apache.org/jira/browse/OAK-4632
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.4.5
> Reporter: Marco Piovesana
>
> I have tow users: _admin_ and _userA_.
> _admin_ creates a folder and gives JCR_READ privilege to _userA_. When
> _userA_ tries to delete the folder no exception is thrown and the folder is
> deleted. _admin_ however can still view the node.
> If i give to _userA_ the privilege to remove the node:
> {code:java}
> AccessControlUtils.addAccessControlEntry(session, folder.getPath(),
> userA.getPrincipal(), new String[]{Privilege.JCR_REMOVE_CHILD_NODES}, true);
> AccessControlUtils.addAccessControlEntry(session,
> otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ,
> Privilege.JCR_REMOVE_NODE}, true);
> {code}
> nothing changes.
> Is this the expected behaviour? How can i give to _userA_ the privilege to
> completely remove the node (remove it also for _admin_)?
> {code:title=DeleteTest.java|borderStyle=solid}
> public void deleteWithoutPermission() throws IOException, RepositoryException
> {
> File driveFile = new File("/tmp/oakTest", "oakrepo");
> File repositoryFile = new File(driveFile, "repository");
> File dataStoreFile = new File(driveFile, "datastore");
> BlobStore blobStore = new
> FileBlobStore(dataStoreFile.getAbsolutePath());
> FileStore repositoryStore =
> FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
> NodeStore nodeStore =
> SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
> Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
> SecurityProviderImpl());
> Repository repository = jcr.createRepository();
> Session session = repository.login(new SimpleCredentials("admin",
> "admin".toCharArray()));
> UserManager userManager = ((SessionImpl) session).getUserManager();
> User userA = userManager.createUser("userA", "userA", new
> UserPrincipal("userA"), null);
> session.save();
> Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
> "myfolder");
> folder.addMixin(JcrConstants.MIX_SHAREABLE);
> Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
> otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
> session.save();
> String path = otherFolder.getPath();
> AccessControlUtils.addAccessControlEntry(session,
> otherFolder.getPath(), userA.getPrincipal(), new
> String[]{Privilege.JCR_READ}, true);
> session.save();
> session.logout();
> session = repository.login(new SimpleCredentials("userA",
> "userA".toCharArray()));
> Node node = session.getNode(path);
> node.remove();
> boolean exist = session.itemExists(path);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
