[
https://issues.apache.org/jira/browse/JCR-3858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364714#comment-14364714
]
Thomas Mueller commented on JCR-3858:
-------------------------------------
I think by default it should be as secure as possible. And with the patch, this
is the case.
We should provide backward compatibility, but the user would have to explicitly
enable this, and it needs to be clear that enabling it is potentially a (very
small) security problem.
> NodeIterator.getSize(): compatibility with Jackrabbit 2.5
> ---------------------------------------------------------
>
> Key: JCR-3858
> URL: https://issues.apache.org/jira/browse/JCR-3858
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Affects Versions: 2.6.2, 2.7
> Reporter: Thomas Mueller
> Assignee: Thomas Mueller
>
> In Jackrabbit 2.5 and older, the query result set (NodeIterator.getSize())
> was an estimation that sometimes included nodes that are not visible for the
> current user.
> This is a possible security problem. The behavior was changed (and the
> security problem fixed) in JCR-3402. However, this is an incompatibility with
> Jackrabbit 2.5.
> I suggest to make this configurable in workspace.xml / repository.xml (or a
> system property, if that turns out to be too complicated). The default is the
> current (secure) behavior, with the option to use the old variant.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
