[
https://issues.apache.org/jira/browse/OAK-12058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18052941#comment-18052941
]
Joerg Hoh commented on OAK-12058:
---------------------------------
OAK-3775 added some explicit tests, where missing read access to / (especially
to /jcr:system/jcr:nodeTypes) influenced the outcome of the JCR API functions
wrt NodeType operations.
See
[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ReadNodeTypeTest.java]
[~angela] you added these tests, any idea if they are strictly necessary in
terms of the JCR API spec (assuming an overall consistent behavior).
> Remove non-required permission check when accessing mixins
> ----------------------------------------------------------
>
> Key: OAK-12058
> URL: https://issues.apache.org/jira/browse/OAK-12058
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: jcr
> Affects Versions: 1.90.0
> Reporter: Joerg Hoh
> Priority: Major
>
> The JCR Spec does not mention, that access to Mixin and NodeType information
> can be prevented via access control.
> Currently {{NodeImpl.canReadMixinTypes()}}
> ([Github|https://github.com/apache/jackrabbit-oak/blob/f277fe135a2b489bd34cb8d6d0b6e23686466228/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/NodeImpl.java#L1344])
> is invoked by {{NodeImpl.getMixinTypeNames()}}, which itself is called by
> these 3 API operations
> * {{NodeImpl.addMixin(String)}}
> * {{NodeImpl.getMixinNodeTypes()}}
> * {{NodeImpl.isNodeType()}}
> Removing this check will avoid a few operations and have a small positive
> performance impact on the above APIs calls.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
