Currently in StructureImpl.java read privilege is checked against all parent folders
before in various methods such as retrieve() .
e.g.
while (uriTokenizer.hasMoreElements()) {
�..
>>>begin snip
// 3 - Load object's class from the uri. If the object
// does not exist, a DataException is thrown.
courUri = uriTokenizer.nextUri();
courObject = courUri.getStore().retrieveObject(courUri);
// We check to see if the credentials gives access to
//the current object
securityHelper.checkCredentials(token, courObject,
namespaceConfig.getReadObjectAction());
<<<end snippet
......
} //end while
I would like to implement a security model variation where people can directly access
(browse) their folder without having any access of its parent folder (for example, use
has no access to /home but may have full privilege to /home/johndoe/).
I am considering to modify StructureImpl.java to comment out the parent folder read
privilege check so that it may get transparently turned off across my side
implementation. Does anyone see any adverse side effect in doing so?
regards
Var George
---------------------------------
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
