Hi.
When a node is moved using session.move(), should REMOVE access be checked?
It seems that it's not checked.
When a node cannot be removed because AccessManager does not allow this, it
still can be moved.
Here's a test:
public void testMoveNode() throws Exception {
Node root = session.getRootNode();
Node nodeToMove = root.addNode("nodeToMove");
session.save();
session.move(nodeToMove.getPath(), "/someNewPath");
try {
session.save();
fail("Move should not be successful!");
} catch (AccessDeniedException e) {
// expected
}
}
While AccessManager's isGranted() method is:
public boolean isGranted(ItemId id, int permissions)
throws ItemNotFoundException, RepositoryException {
// don't allow to remove any items
if ((permissions & REMOVE) == REMOVE) {
return false;
}
return true;
}
For comparison: following test passes (it removes a node instead of moving):
public void testDeleteNode() throws Exception {
Node root = session.getRootNode();
Node nodeToDelete = root.addNode("nodeToDelete");
session.save();
nodeToDelete.remove();
try {
session.save();
fail("Removal should not be successful!");
} catch (AccessDeniedException e) {
// expected
}
}
Maven project with tests is here:
http://rpuch.narod.ru/test-remove-access.zip
--
View this message in context:
http://www.nabble.com/REMOVE-access-is-not-ckecked-when-moving-a-node-tp17293191p17293191.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
