Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-3230

hasCapability() does not respect permissions

    XMLWordPrintableJSON

    Details

      Description

      Session.hasCapability() is lacking a sound check for access control permissions, thus it can return true even if the respective call to hasPermission will return false.
      This violates the specification:

      [hasCapability] checks whether an operation can be performed given as much context as can be determined by the repository, including:

      • Permissions granted to the current user, including access control privileges.
      • [...]

      (from: http://www.day.com/specs/jcr/2.0/9_Permissions_and_Capabilities.html)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              chaotic Lars Krapf
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: