Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-3324

Evaluation with restriction is not consistent with parent ACLs

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.3.4
    • 1.0.21, 1.3.6, 1.4
    • security
    • None

    Description

      consider the following ACL setup:

      testuser allow rep:read,rep:write      /testroot
      testuser deny  jcr:removeNode /testroot/a  glob=*/c
      testuser allow jcr:removeNode /testroot/a  glob=*/b
      

      now: hasPermission(/tesroot/a/b/c, jcr:removeNode) == false but the user is still able to delete the node.

      • if we change the order of the ACEs with the restriction, it works (i.e. the user can't delete)
      • if we use direct ACLs on the respective nodes, it works

      I think this is a bug...but I'm not sure if hasPermission is wrong, or the check during node deletion.

      Attachments

        Activity

          People

            tripod Tobias Bocanegra
            tripod Tobias Bocanegra
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: