[JS2-900] SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.1.3
Fix Version/s: 2.2.0
Component/s: Profiling/Portal Navigation
Labels:
None

Description

SiteView.getNodeProxy uses currentFolder.getAll() to lookup a target path (element).
FolderImpl.getAll() (both PSML and DB versions) will filter out any Node for which the current user doesn't have access.

But this means there is no distinction possible between a not-existing page access and not-allowed page access (e.g. 404 or 403).
The ProfilerValveImpl (invoking these) already can handle a thrown SecurityException and send a SC_FORBIDDEN error (if configured to do so).
So, the intended behavior already is to support this.

We just need to fix SiteView.getNodeProxy a little like calling currentFolder.getAllNodes() and perform a security check itself if the path was resolved.

Attachments

Activity

People

Assignee:: W. Randall Watler

Reporter:: Ate Douma

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 02/Sep/08 11:33

Updated:: 04/Oct/11 21:08

Resolved:: 06/May/09 00:14

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified