Marco Piovesana created OAK-4632: ------------------------------------ Summary: User with with just JCR_READ privilege can delete a node Key: OAK-4632 URL: https://issues.apache.org/jira/browse/OAK-4632 Project: Jackrabbit Oak Issue Type: Bug Components: core Affects Versions: 1.4.5 Reporter: Marco Piovesana
I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. Am I doing something wrong? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)