[ https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028893#comment-17028893 ]
Angela Schreiber commented on OAK-8855: --------------------------------------- trunk: r1873524 1.22 branch: r1873533 > Permission evaluation of nodes broken after :nestedCug removed from parent > node > ------------------------------------------------------------------------------- > > Key: OAK-8855 > URL: https://issues.apache.org/jira/browse/OAK-8855 > Project: Jackrabbit Oak > Issue Type: Bug > Components: authorization-cug > Affects Versions: 1.8.7 > Reporter: Kunal Shubham > Assignee: Angela Schreiber > Priority: Major > Fix For: 1.26.0, 1.22.1 > > Attachments: OAK-8855.patch, OAK-8855_backport.patch > > > Steps to Reproduce: > # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content > tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and > user2. > # Apply CUG policy on /content/a. > ** Authorize user1 and user2 to read /content/a. > ** Authorize user1 to read /content/a/b1. > ** Authorize user2 to read /content/a/b2. > # Remove :nestedCugs property from /content/a/rep:cugPolicy. > # Create a content session, login with user2. Try to read /content/a/b1. > *Observed behavior* : user2 is able to read /content/a/b1. > *Expected behavior* : user2 should not be able to read /content/a/b1 as it is > unauthorized to do so. > Please note that :nestedCugs is removed by a mechanism which completely > overwrites content tree below "/content/a". -- This message was sent by Atlassian Jira (v8.3.4#803005)