Critical Description
the following test passes in Jackrabbit-Core but fails in OAK:
@Test
public void testMoveRemoveSubTree() throws Exception {
superuser.getNode(childNPath).addNode(nodeName3);
superuser.save();
/* allow READ/WRITE privilege for testUser at 'path' */
givePrivileges(path, privilegesFromNames(new String[] {Privilege.JCR_READ, "rep:write"}), Collections.<String, Value>emptyMap());
/* deny READ/REMOVE property privileges at subtree. */
withdrawPrivileges(path, privilegesFromNames(new String[] {Privilege.JCR_REMOVE_NODE}), Collections.singletonMap("rep:glob", superuser.getValueFactory().createValue("*/"+nodeName3)));
Session testSession = getTestSession();
assertTrue(testSession.nodeExists(childNPath));
assertTrue(testSession.hasPermission(childNPath, Session.ACTION_REMOVE));
assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_ADD_NODE));
testSession.move(childNPath, childNPath2 + "/dest");
Node dest = testSession.getNode(childNPath2 + "/dest");
dest.getNode(nodeName3).remove();
try {
testSession.save();
fail("Removing child node must be denied.");
} catch (AccessDeniedException e) {
// success
}
}
this is a critical security issue as it moving around the parent is sufficient in order to be able to remove a node that was otherwise not removable due to limited permissions.
Afaik this behavior is caused by a limitation in the Diff process which doesn't allow to identify the move and thus makes it impossible to find out if that the subtree has been removed.
