[
https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17739476#comment-17739476
]
Marcel Reutegger commented on OAK-10334:
----------------------------------------
Read and write are distinct permissions. There are aggregates that include
both, but generally it is possible to deny read and allow write of an item. See
also test in PR.
> Node.addMixin() may overwrite existing mixins
> ---------------------------------------------
>
> Key: OAK-10334
> URL: https://issues.apache.org/jira/browse/OAK-10334
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: jcr
> Reporter: Marcel Reutegger
> Priority: Major
>
> A Session lacking permission to read property jcr:mixinTypes, but permission
> to write will overwrite existing mixins when calling Node.addMixin().
> The implementation does not check if the session has permission to read
> jcr:mixinTypes and assumes there are no existing values when the session does
> not have permission. The result is a jcr:mixinTypes property with only a
> single value passed to addMixin().
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
