Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-1140

SecureNodeBuilder should use the base state for the security context

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.10
    • 0.11
    • core
    • None

    Description

      Currently the SecureNodeBuilder uses the current state that includes all transient changes when constructing the SecurityContext after a refresh.

      This is potentially troublesome, as we generally don't enforce write access controls on transient changes (they're only checked during save), and it might therefore be possible for a client to transiently modify the permissions and thus gain access to content that would otherwise be read-protected.

      To avoid worrying about such cases the SecureNodeBuilder should always use the base state (i.e. no transient modifications) for the SecurityContext.

      Attachments

        Activity

          People

            jukkaz Jukka Zitting
            jukkaz Jukka Zitting
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: