[jira] [Commented] (OAK-8855) Permission evaluation of nodes broken after :nestedCug removed from parent node

Tue, 14 Jan 2020 03:38:47 -0800 


    [ 
https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17015025#comment-17015025
 ] 

Kunal Shubham commented on OAK-8855:
------------------------------------

Before :nestedCugs is removed from /content/a/rep:cugPolicy, the permissions 
for user2 on different nodes:
||Node||isAllow||hasNested||
|/content/a|T|T|
|/content/a/b1|F|F|
|/content/a/b2|T|F|
 
After :nestedCugs is removed from /content/a/rep:cugPolicy, the permissions for 
user2:
||Node||isAllow||hasNested||
|*/content/a*|*Y*|{color:#FF0000}*N*{color}|
|/content/a/b1|N|N|
|/content/a/b2|Y|N|
Now when a read request for /content/a/b1 by user2, first it is checked if the 
parent of 'b1' is nested or not. The neverNested method [1] erroneously returns 
true. This causes user2 to use its parent's permissions, erroneously giving 
read access to user2.
The patch fixes this by restoring :nestedCugs back in rep:cugPolicy.
[1] 
[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java#L77-L100]

> Permission evaluation of nodes broken after :nestedCug removed from parent 
> node
> -------------------------------------------------------------------------------
>
>                 Key: OAK-8855
>                 URL: https://issues.apache.org/jira/browse/OAK-8855
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: authorization-cug
>            Reporter: Kunal Shubham
>            Priority: Major
>         Attachments: 0001-Fix-nestedcug-permission-issue.patch
>
>
> Steps to Reproduce:
>  # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content 
> tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and 
> user2.
>  # Apply CUG policy on /content/a.
>  ** Authorize user1 and user2 to read /content/a.
>  ** Authorize user1 to read /content/a/b1.
>  ** Authorize user2 to read /content/a/b2.
>  # Remove :nestedCugs property from /content/a/rep:cugPolicy.
>  # Create a content session, login with user2. Try to read /content/a/b1.
> *Observed behavior* : user2 is able to read /content/a/b1.
> *Expected behavior* : user2 should not be able to read /content/a/b1 as it is 
> unauthorized to do so.
> Please note that :nestedCugs is removed by a mechanism which completely 
> overwrites content tree below "/content/a".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to