[
https://issues.apache.org/jira/browse/OAK-4459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela updated OAK-4459:
------------------------
Fix Version/s: (was: 1.6)
> Duplicate and case sensitive comparison of lockowner with user id
> -----------------------------------------------------------------
>
> Key: OAK-4459
> URL: https://issues.apache.org/jira/browse/OAK-4459
> Project: Jackrabbit Oak
> Issue Type: Technical task
> Components: jcr
> Reporter: angela
>
> the current lock implementation in oak-jcr contains multiple places where the
> user id stored with the editing session is compared to lock specific
> information (lock owner information).
> IMO that should be streamlined to make sure the code works consistent across
> the various methods (which it currently doesn't see OAK-4458).
> also it looks troublesome to me that the comparison is case sensitive as the
> login by default is not case sensitive... alternatively compare it to a value
> that is known to be immutable such as e.g. the user ID as stored in the user
> management (and only fall back to session id, which might be {{null}} btw) if
> no user exists or user management is not supported.
> in general i find it quite problematic to base any kind of verification based
> on the {{jcr:lockOwner}} implementation, which is _NOT_ intended to be used
> for that purpose (see specification)... if the locking feature was properly
> implemented, we would not base the ability to unlock a given node based on
> information that can be application supplied such as the {{jcr:lockOwner}}
> property but rather make sure we have internal ways that allows for proper
> verification.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
