[ https://issues.apache.org/jira/browse/OAK-1163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13818872#comment-13818872 ]
Michael Dürig commented on OAK-1163: ------------------------------------ bq. should be possible to extend the NodeStateDiff contract to cover that case by allowing one or both of the node states passed to childNodeChanged() to be non-existent. While this would surely be the cleanest solution for observation I'm rather reluctant to generally change that contract since this will affect existing client code in subtle ways. But maybe we could introduce some kind of a "relax" mode for the {{SecureNodeState}} that behaves in this way. > Observation events should respect permissions > --------------------------------------------- > > Key: OAK-1163 > URL: https://issues.apache.org/jira/browse/OAK-1163 > Project: Jackrabbit Oak > Issue Type: New Feature > Components: core, jcr, security > Reporter: Alexander Klimetschek > > The JCR observation implementation in Oak does not evaluate ACLs yet, so any > session currently sees all events. {{SecureValidator}} is the intended place > to do the checks. -- This message was sent by Atlassian JIRA (v6.1#6144)