[ https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marco Piovesana updated OAK-4632: --------------------------------- Description: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. If i give to _userA_ the privilege to remove the node nothing changes. Is this the expected behaviour? How can i give to _userA_ the privilege to completely remove the node (remove it also for _admin_)? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} was: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} > User with with just JCR_READ privilege can delete a node > -------------------------------------------------------- > > Key: OAK-4632 > URL: https://issues.apache.org/jira/browse/OAK-4632 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core > Affects Versions: 1.4.5 > Reporter: Marco Piovesana > > I have tow users: _admin_ and _userA_. > _admin_ creates a folder and gives JCR_READ privilege to _userA_. When > _userA_ tries to delete the folder no exception is thrown and the folder is > deleted. _admin_ however can still view the node. > If i give to _userA_ the privilege to remove the node nothing changes. > Is this the expected behaviour? How can i give to _userA_ the privilege to > completely remove the node (remove it also for _admin_)? > {code:title=DeleteTest.java|borderStyle=solid} > public void deleteWithoutPermission() throws IOException, RepositoryException > { > File driveFile = new File("/tmp/oakTest", "oakrepo"); > File repositoryFile = new File(driveFile, "repository"); > File dataStoreFile = new File(driveFile, "datastore"); > BlobStore blobStore = new > FileBlobStore(dataStoreFile.getAbsolutePath()); > FileStore repositoryStore = > FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); > NodeStore nodeStore = > SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); > Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new > SecurityProviderImpl()); > Repository repository = jcr.createRepository(); > Session session = repository.login(new SimpleCredentials("admin", > "admin".toCharArray())); > UserManager userManager = ((SessionImpl) session).getUserManager(); > User userA = userManager.createUser("userA", "userA", new > UserPrincipal("userA"), null); > session.save(); > Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), > "myfolder"); > folder.addMixin(JcrConstants.MIX_SHAREABLE); > Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); > otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); > session.save(); > String path = otherFolder.getPath(); > AccessControlUtils.addAccessControlEntry(session, > otherFolder.getPath(), userA.getPrincipal(), new > String[]{Privilege.JCR_READ}, true); > session.save(); > session.logout(); > session = repository.login(new SimpleCredentials("userA", > "userA".toCharArray())); > Node node = session.getNode(path); > node.remove(); > boolean exist = session.itemExists(path); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)