[OAK-3517] Node.addNode(String, String) may check nt-mgt-permission against the wrong node - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.8, 1.3.9, 1.4
Component/s: jcr
Labels:
None

Description

While I was troubleshooting an issue we're having in AEM 6.1, I've noticed an "impossible" access denied exception in the logs: the user had permission to add nodes under the node in question but still got an error.

Some testing narrowed the issue down to a difference in behavior between the following two invocations:
someNode.getNode("child").addNode("grandchild", "nt:unstructured");
someNode.addNode("child/grandchild", "nt:unstructured");

As far as I can tell, both should behave identically per the JCR spec, but the second one fails if the user doesn't have node type management permission to someNode, even if they have that permission to someNode/child.

I believe the issue is in line 283 of NodeImpl: it is checking permissions against dlg.getTree(), but it should really check against parent.getTree(), or if possible, the path of the node that's about to be created (so glob restrictions can be evaluated).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OAK-3517.patch
15/Oct/15 09:09
3 kB
Angela Schreiber
PermissionIssueDemo.java
14/Oct/15 12:50
2 kB
Csaba Varga

Activity

People

Assignee:: Angela Schreiber

Reporter:: Csaba Varga

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Oct/15 12:45

Updated:: 02/Mar/16 14:33

Resolved:: 15/Oct/15 10:05