Kunal Shubham created OAK-8855:

             Summary: Permission evaluation of nodes broken after :nestedCug 
removed from parent node
                 Key: OAK-8855
                 URL: https://issues.apache.org/jira/browse/OAK-8855
             Project: Jackrabbit Oak
          Issue Type: Bug
          Components: authorization-cug
            Reporter: Kunal Shubham

Steps to Reproduce:
 # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content 
tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and 
 # Apply CUG policy on /content/a.
 ** Authorize user1 and user2 to read /content/a.
 ** Authorize user1 to read /content/a/b1.
 ** Authorize user2 to read /content/a/b2.
 # Remove :nestedCugs property from /content/a/rep:cugPolicy.
 # Create a content session, login with user2. Try to read /content/a/b1.

*Observed behavior* : user2 is able to read /content/a/b1.

*Expected behavior* : user2 should not be able to read /content/a/b1 as it is 
unauthorized to do so.

Please note that :nestedCugs is removed by a mechanism which completely 
overwrites content tree below "/content/a".

This message was sent by Atlassian Jira

Reply via email to