Oliver,
Not sure it applies here, but I remember looking around one time and discovering that removing permissions ends up checking to see if the object exists, so if they aren't removed before the object is deleted, you get errors. revokePermission() has a call to checkCredentials(token, object, ...) in it. For slide 1, I think we kludged and silently caught the ObjectNotFoundException caused by Macro.delete().
With a quick look in MacroImpl, I'm don't see any way that a security setting on the node being delted is getting checked either, but a fix will probably have to do more than just remove content and then the permissions...
Jim
----- Original Message ----- From: "Oliver Zeigermann" <[EMAIL PROTECTED]>
To: "Slide Developers Mailing List" <[EMAIL PROTECTED]>
Sent: Tuesday, October 19, 2004 11:32 AM
Subject: Re: Suspicious code in MacroImpl deleteObject
On Tue, 19 Oct 2004 16:44:36 +0200, Stefan L�tzkendorf <[EMAIL PROTECTED]> wrote:
Versions are maintained at the version history resource I think. That one of the things im bewildered again and again (:-) If you put a resource under version control and check it in some times, you will not found any aditional revisiondescriptor at the resource but at the history resource. So I think (webdav) versions are NOT removed. (Multiple revisions I have ever observerd when removing the history resource, i.e. the collection where the versions are stored) (Thats why think the webdav versioning and the slide versioning are designed under different views, and something could be improved we only want to support webdav)
Right, forgot about that...
The other point looks weired too. First locka and permissions are removed, and than content and the node are removed. The checks in ContentImpl.remove and StructureImpl.remove seem to be made effectless. But why we dont observe strange security violations?
I guess because inherited security setting apply here. It is just local settings that are removed. Still, seems to be just wrong to me.
Oliver
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
