Kunal Shubham created OAK-8855: ---------------------------------- Summary: Permission evaluation of nodes broken after :nestedCug removed from parent node Key: OAK-8855 URL: https://issues.apache.org/jira/browse/OAK-8855 Project: Jackrabbit Oak Issue Type: Bug Components: authorization-cug Reporter: Kunal Shubham
Steps to Reproduce: # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and user2. # Apply CUG policy on /content/a. ** Authorize user1 and user2 to read /content/a. ** Authorize user1 to read /content/a/b1. ** Authorize user2 to read /content/a/b2. # Remove :nestedCugs property from /content/a/rep:cugPolicy. # Create a content session, login with user2. Try to read /content/a/b1. *Observed behavior* : user2 is able to read /content/a/b1. *Expected behavior* : user2 should not be able to read /content/a/b1 as it is unauthorized to do so. Please note that :nestedCugs is removed by a mechanism which completely overwrites content tree below "/content/a". -- This message was sent by Atlassian Jira (v8.3.4#803005)