[jira] [Created] (OAK-4632) User with with just JCR_READ privilege can delete a node

Tue, 02 Aug 2016 08:44:55 -0700 

Marco Piovesana created OAK-4632:
------------------------------------

             Summary: User with with just JCR_READ privilege can delete a node
                 Key: OAK-4632
                 URL: https://issues.apache.org/jira/browse/OAK-4632
             Project: Jackrabbit Oak
          Issue Type: Bug
          Components: core
    Affects Versions: 1.4.5
            Reporter: Marco Piovesana


I have tow users: _admin_ and _userA_.
 _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ 
tries to delete the folder no exception is thrown and the folder is deleted. Am 
I doing something wrong?

{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
        File driveFile = new File("/tmp/oakTest", "oakrepo");
        File repositoryFile = new File(driveFile, "repository");
        File dataStoreFile = new File(driveFile, "datastore");

        BlobStore blobStore = new 
FileBlobStore(dataStoreFile.getAbsolutePath());
        FileStore repositoryStore = 
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();

        NodeStore nodeStore = 
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
        Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new 
SecurityProviderImpl());

        Repository repository = jcr.createRepository();
        Session session = repository.login(new SimpleCredentials("admin", 
"admin".toCharArray()));
        UserManager userManager = ((SessionImpl) session).getUserManager();
        User userA = userManager.createUser("userA", "userA", new 
UserPrincipal("userA"), null);
        session.save();

        Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), 
"myfolder");
        folder.addMixin(JcrConstants.MIX_SHAREABLE);
        Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
        otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
        session.save();
        String path = otherFolder.getPath();
        AccessControlUtils.addAccessControlEntry(session, 
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, 
true);
        session.save();
        session.logout();
        session = repository.login(new SimpleCredentials("userA", 
"userA".toCharArray()));
        Node node = session.getNode(path);
        node.remove();
        boolean exist = session.itemExists(path);
    }
{code}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to