[jira] [Comment Edited] (OAK-8855) Permission evaluation of nodes broken after :nestedCug removed from parent node

Tue, 12 Sep 2023 02:01:05 -0700 


    [ 
https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028893#comment-17028893
 ] 

Julian Reschke edited comment on OAK-8855 at 9/12/23 9:00 AM:
--------------------------------------------------------------

trunk: (1.26.0) 
[4f2ce8b26b|https://github.com/apache/jackrabbit-oak/commit/4f2ce8b26bd73a1b806a4294a5915fb0860fc026]
1.22: (1.22.1) 
[4529eaa558|https://github.com/apache/jackrabbit-oak/commit/4529eaa558be4d41e8bbc0c463ba498dc2971685]

...in retired branches:
1.10: 
[b96acdf4e2|https://github.com/apache/jackrabbit-oak/commit/b96acdf4e2bfcb90103ff7fe5ab8c6d8361600e3]
1.8: (1.8.21) 
[8cf992cb9c|https://github.com/apache/jackrabbit-oak/commit/8cf992cb9c681b87719acf836b0c33f22cbc17de]



was (Author: anchela):
trunk: r1873524
1.22 branch: r1873533
1.10 branch: r1873536
1.8 branch: r1873537

> Permission evaluation of nodes broken after :nestedCug removed from parent 
> node
> -------------------------------------------------------------------------------
>
>                 Key: OAK-8855
>                 URL: https://issues.apache.org/jira/browse/OAK-8855
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: authorization-cug
>    Affects Versions: 1.8.7
>            Reporter: Kunal Shubham
>            Assignee: Angela Schreiber
>            Priority: Major
>              Labels: candidate_oak_1_22
>             Fix For: 1.26.0, 1.8.21, 1.22.1
>
>         Attachments: OAK-8855.patch, OAK-8855_backport.patch
>
>
> Steps to Reproduce:
>  # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content 
> tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and 
> user2.
>  # Apply CUG policy on /content/a.
>  ** Authorize user1 and user2 to read /content/a.
>  ** Authorize user1 to read /content/a/b1.
>  ** Authorize user2 to read /content/a/b2.
>  # Remove :nestedCugs property from /content/a/rep:cugPolicy.
>  # Create a content session, login with user2. Try to read /content/a/b1.
> *Observed behavior* : user2 is able to read /content/a/b1.
> *Expected behavior* : user2 should not be able to read /content/a/b1 as it is 
> unauthorized to do so.
> Please note that :nestedCugs is removed by a mechanism which completely 
> overwrites content tree below "/content/a".



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to