[OAK-3324] Evaluation with restriction is not consistent with parent ACLs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.4
Fix Version/s: 1.0.21, 1.3.6, 1.4
Component/s: security
Labels:
None

Description

consider the following ACL setup:

testuser allow rep:read,rep:write      /testroot
testuser deny  jcr:removeNode /testroot/a  glob=*/c
testuser allow jcr:removeNode /testroot/a  glob=*/b

now: hasPermission(/tesroot/a/b/c, jcr:removeNode) == false but the user is still able to delete the node.

if we change the order of the ACEs with the restriction, it works (i.e. the user can't delete)
if we use direct ACLs on the respective nodes, it works

I think this is a bug...but I'm not sure if hasPermission is wrong, or the check during node deletion.

Attachments

Activity

People

Assignee:: Tobias Bocanegra

Reporter:: Tobias Bocanegra

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 01/Sep/15 10:34

Updated:: 02/Mar/16 12:13

Resolved:: 04/Sep/15 16:43