[
http://jira.magnolia.info/browse/MAGNOLIA-2317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517#action_17517
]
Jan Haderka commented on MAGNOLIA-2317:
---------------------------------------
I've decided not to change the fact we do not check for user having rights to
read their own account node on login. First we can enforce this only on
JCRAuthenticationModule, and second, there is already flag marking account as
enabled/disabled. So missing privileges to read/modify own node just means such
user is not able to display/change their own preferences which might be desired
behaviour in some cases - (semi)public accounts.
> Reading user nodes without having correct privileges assigned
> -------------------------------------------------------------
>
> Key: MAGNOLIA-2317
> URL: http://jira.magnolia.info/browse/MAGNOLIA-2317
> Project: Magnolia
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.1
> Reporter: Jan Haderka
> Assignee: Jan Haderka
> Fix For: 3.6.2
>
>
> Currently users have assigned privileges to access their own node via ACLs
> assigned directly to their account. However those privileges are not assigned
> and used at runtime so in theory user should not be able to log in.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/
----------------------------------------------------------------
