[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17842998#comment-17842998 ] Julian Reschke commented on OAK-10334: -- Backport to 1.22 would be tricky, because https://issues.apache.org/jira/browse/OAK-9868 modified the exported API earlier on. > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Assignee: Marcel Reutegger >Priority: Major > Labels: candidate_oak_1_22 > Fix For: 1.58.0 > > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17770145#comment-17770145 ] Julian Reschke commented on OAK-10334: -- trunk: [e91361faa5|https://github.com/apache/jackrabbit-oak/commit/e91361faa59349b0fb389c159399cc27071c0f58] (1.56.0) [46109d1d84|https://github.com/apache/jackrabbit-oak/commit/46109d1d8434aabb25f18d5c25afc0cb9414fe4f] [028e8d3618|https://github.com/apache/jackrabbit-oak/commit/028e8d3618895e40031d3fe2958378a80859f5f9] [cf521f072e|https://github.com/apache/jackrabbit-oak/commit/cf521f072e0006b4dc5145e6997cef868c644d45] (1.54.0) [0b8223f113|https://github.com/apache/jackrabbit-oak/commit/0b8223f11383e465dbc77bea04337e0c08f28079] [2c83efbefc|https://github.com/apache/jackrabbit-oak/commit/2c83efbefc0e7dd832e598606e0f002a241f3fc4] > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Assignee: Marcel Reutegger >Priority: Major > Fix For: 1.58.0 > > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17761702#comment-17761702 ] Marcel Reutegger commented on OAK-10334: Follow up issue regarding Node.removeMixin(String): OAK-10425 > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Assignee: Marcel Reutegger >Priority: Major > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17758860#comment-17758860 ] Marcel Reutegger commented on OAK-10334: Based on review feedback in the PR the proposed fix now correctly updates jcr:mixinTypes even when the session does not have read permission on the property. This is consistent with the behaviour described in OAK-2441. > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Assignee: Marcel Reutegger >Priority: Major > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739476#comment-17739476 ] Marcel Reutegger commented on OAK-10334: Read and write are distinct permissions. There are aggregates that include both, but generally it is possible to deny read and allow write of an item. See also test in PR. > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Priority: Major > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[
https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739473#comment-17739473
]
Stefan Egli commented on OAK-10334:
---
{quote}A Session lacking permission to read property jcr:mixinTypes, but
permission to write{quote}
Sounds unexpected that a session can write but not read. Is it the same
permission or are these two separate permissions?
> Node.addMixin() may overwrite existing mixins
> -
>
> Key: OAK-10334
> URL: https://issues.apache.org/jira/browse/OAK-10334
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: jcr
>Reporter: Marcel Reutegger
>Priority: Major
>
> A Session lacking permission to read property jcr:mixinTypes, but permission
> to write will overwrite existing mixins when calling Node.addMixin().
> The implementation does not check if the session has permission to read
> jcr:mixinTypes and assumes there are no existing values when the session does
> not have permission. The result is a jcr:mixinTypes property with only a
> single value passed to addMixin().
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739119#comment-17739119 ] Marcel Reutegger commented on OAK-10334: PR now contains a proposed fix. Adding a mixin type now also requires read permission on jcr:mixinTypes. [~angela], WDYT? > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Priority: Major > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OAK-10334) Node.addMixin() may overwrite existing mixins
[ https://issues.apache.org/jira/browse/OAK-10334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739102#comment-17739102 ] Marcel Reutegger commented on OAK-10334: Created draft PR with a test reproducing the issue: https://github.com/apache/jackrabbit-oak/pull/1011 > Node.addMixin() may overwrite existing mixins > - > > Key: OAK-10334 > URL: https://issues.apache.org/jira/browse/OAK-10334 > Project: Jackrabbit Oak > Issue Type: Bug > Components: jcr >Reporter: Marcel Reutegger >Priority: Major > > A Session lacking permission to read property jcr:mixinTypes, but permission > to write will overwrite existing mixins when calling Node.addMixin(). > The implementation does not check if the session has permission to read > jcr:mixinTypes and assumes there are no existing values when the session does > not have permission. The result is a jcr:mixinTypes property with only a > single value passed to addMixin(). -- This message was sent by Atlassian Jira (v8.20.10#820010)
