[
https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17739119#comment-17739119
]
Marcel Reutegger commented on OAK-10334:
----------------------------------------
PR now contains a proposed fix. Adding a mixin type now also requires read
permission on jcr:mixinTypes.
[~angela], WDYT?
> Node.addMixin() may overwrite existing mixins
> ---------------------------------------------
>
> Key: OAK-10334
> URL: https://issues.apache.org/jira/browse/OAK-10334
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: jcr
> Reporter: Marcel Reutegger
> Priority: Major
>
> A Session lacking permission to read property jcr:mixinTypes, but permission
> to write will overwrite existing mixins when calling Node.addMixin().
> The implementation does not check if the session has permission to read
> jcr:mixinTypes and assumes there are no existing values when the session does
> not have permission. The result is a jcr:mixinTypes property with only a
> single value passed to addMixin().
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
