[ https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17015025#comment-17015025 ]
Kunal Shubham edited comment on OAK-8855 at 1/15/20 4:52 AM: ------------------------------------------------------------- Before :nestedCugs is removed from /content/a/rep:cugPolicy, the permissions for user2 on different nodes: ||Node||isAllow||hasNested|| |/content/a|T|T| |/content/a/b1|F|F| |/content/a/b2|T|F| After :nestedCugs is removed from /content/a/rep:cugPolicy, the permissions for user2: ||Node||isAllow||hasNested|| |*/content/a*|*T*|{color:#ff0000}*F*{color}| |/content/a/b1|F|F| |/content/a/b2|T|F| Now when a read request for /content/a/b1 by user2, first it is checked if the parent of 'b1' is nested or not. The neverNested method [1] erroneously returns true. This causes user2 to use its parent's permissions, erroneously giving it read access to /content/a/b1. The patch fixes this by restoring :nestedCugs back in rep:cugPolicy. [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java#L77-L100] was (Author: kunal3112): Before :nestedCugs is removed from /content/a/rep:cugPolicy, the permissions for user2 on different nodes: ||Node||isAllow||hasNested|| |/content/a|T|T| |/content/a/b1|F|F| |/content/a/b2|T|F| After :nestedCugs is removed from /content/a/rep:cugPolicy, the permissions for user2: ||Node||isAllow||hasNested|| |*/content/a*|*Y*|{color:#FF0000}*N*{color}| |/content/a/b1|N|N| |/content/a/b2|Y|N| Now when a read request for /content/a/b1 by user2, first it is checked if the parent of 'b1' is nested or not. The neverNested method [1] erroneously returns true. This causes user2 to use its parent's permissions, erroneously giving read access to user2. The patch fixes this by restoring :nestedCugs back in rep:cugPolicy. [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugTreePermission.java#L77-L100] > Permission evaluation of nodes broken after :nestedCug removed from parent > node > ------------------------------------------------------------------------------- > > Key: OAK-8855 > URL: https://issues.apache.org/jira/browse/OAK-8855 > Project: Jackrabbit Oak > Issue Type: Bug > Components: authorization-cug > Reporter: Kunal Shubham > Priority: Major > Attachments: 0001-Fix-nestedcug-permission-issue.patch > > > Steps to Reproduce: > # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content > tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and > user2. > # Apply CUG policy on /content/a. > ** Authorize user1 and user2 to read /content/a. > ** Authorize user1 to read /content/a/b1. > ** Authorize user2 to read /content/a/b2. > # Remove :nestedCugs property from /content/a/rep:cugPolicy. > # Create a content session, login with user2. Try to read /content/a/b1. > *Observed behavior* : user2 is able to read /content/a/b1. > *Expected behavior* : user2 should not be able to read /content/a/b1 as it is > unauthorized to do so. > Please note that :nestedCugs is removed by a mechanism which completely > overwrites content tree below "/content/a". -- This message was sent by Atlassian Jira (v8.3.4#803005)