Details
-
New Feature
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.6.2, 2.7
-
None
-
None
-
None
Description
In Jackrabbit 2.5 and older, the query result set (NodeIterator.getSize()) was an estimation that sometimes included nodes that are not visible for the current user.
This is a possible security problem. The behavior was changed (and the security problem fixed) in JCR-3402. However, this is an incompatibility with Jackrabbit 2.5.
I suggest to make this configurable in workspace.xml / repository.xml (or a system property, if that turns out to be too complicated). The default is the current (secure) behavior, with the option to use the old variant.