mreutegg commented on code in PR #1011:
URL: https://github.com/apache/jackrabbit-oak/pull/1011#discussion_r1301427100
##########
oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/NodeImpl.java:
##########
@@ -1015,6 +1015,9 @@ public void checkPreconditions() throws
RepositoryException {
throw new VersionException(format(
"Cannot add mixin type. Node [%s] is checked in.",
getNodePath()));
}
+ // OAK-10334: adding mixin requires permission to read
existing mixin types
+ PropertyState prop =
PropertyStates.createProperty(JCR_MIXINTYPES, singleton(oakTypeName), NAMES);
+
sessionContext.getAccessManager().checkPermissions(dlg.getTree(), prop,
Permissions.READ_PROPERTY);
Review Comment:
> i wonder if it wouldn't be better to also adopt a similar approach as we
use in `NodeImpl.getPrimaryType` and `getMixinTypeNames`.... i.e. making sure
we don't overwrite the type in the tree-util by potentially reading the value
from the read-only tree...
That's a good point and I think would be more consistent. Oak and Jackrabbit
allow you to get primary and mixin type information even if the session does
not have permission to read properties where those values are stored in. It
would be strange if adding a mixin fails in this case.
I'll update the PR accordingly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@jackrabbit.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
