[jira] [Commented] (OAK-6015) ACL of versioned node can be modified without checking in the node
[
https://issues.apache.org/jira/browse/OAK-6015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953206#comment-15953206
]
Marco Piovesana commented on OAK-6015:
--
Yes I'm sorry, I wrote checkin instead of checkout. I'm updating title and
description right away.
Marco.
> ACL of versioned node can be modified without checking in the node
> --
>
> Key: OAK-6015
> URL: https://issues.apache.org/jira/browse/OAK-6015
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
>Affects Versions: 1.6.0
>Reporter: Marco Piovesana
>
> On a versione node _nodeA_ i can do:
> {{AccessControlUtils.clear(nodeA, userPrincipal)}}
> without having to checkin the node.
> After saving the session I tried to login as _userPrincipal_ and I couldn't
> find _nodeA_, so it seems that the clear operation did work even if the node
> was checked-out.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (OAK-6015) ACL of versioned node can be modified without checking in the node
[
https://issues.apache.org/jira/browse/OAK-6015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953109#comment-15953109
]
angela commented on OAK-6015:
-
[~iosonomarco], the subject/description is confusing... don't you mean to say
that the node is checked-in and it still works? so, 'without checking _out_ the
node'? if the node is checked out writing is possible in the first place...
it's only the checked-in state that should be read only. please clarify.
> ACL of versioned node can be modified without checking in the node
> --
>
> Key: OAK-6015
> URL: https://issues.apache.org/jira/browse/OAK-6015
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
>Affects Versions: 1.6.0
>Reporter: Marco Piovesana
>
> On a versione node _nodeA_ i can do:
> {{AccessControlUtils.clear(nodeA, userPrincipal)}}
> without having to checkin the node.
> After saving the session I tried to login as _userPrincipal_ and I couldn't
> find _nodeA_, so it seems that the clear operation did work even if the node
> was checked-out.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (OAK-6015) ACL of versioned node can be modified without checking in the node
[
https://issues.apache.org/jira/browse/OAK-6015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953102#comment-15953102
]
Marco Piovesana commented on OAK-6015:
--
Sure, in the test I first grant to "testUser" some privileges and then i try to
clear them without checking out the node:
{code:title=ACLErrorTest.java|borderStyle=solid}
@Test(expected = VersionException.class)
public void shouldFailWhenTryingToChangeNodeSharestOnCheckedOutNode()
throws IOException, RepositoryException, InvalidFileStoreVersionException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore fileStore =
FileStoreBuilder.fileStoreBuilder(repositoryFile).withBlobStore(blobStore).build();
SegmentNodeStore segmentNodeStore =
SegmentNodeStoreBuilders.builder(fileStore).build();
Jcr jcr = new Jcr(segmentNodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(ADMIN_CREDENTIALS);
User user = ((JackrabbitSession)
session).getUserManager().createUser("testUser", "testUser", new
PrincipalImpl("testUser"), null);
session.save();
VersionManager versionManager =
session.getWorkspace().getVersionManager();
Node testFolder = JcrUtils.getOrAddNode(session.getRootNode(),
"myfile", JcrConstants.NT_FOLDER);
testFolder.addMixin(JcrConstants.MIX_VERSIONABLE);
session.save();
versionManager.checkout(testFolder.getPath());
versionManager.checkin(testFolder.getPath());
versionManager.checkout(testFolder.getPath());
AccessControlUtils.addAccessControlEntry(testFolder.getSession(),
testFolder.getPath(), user.getPrincipal(), new String[]{Privilege.JCR_ALL},
true);
session.save();
versionManager.checkin(testFolder.getPath());
AccessControlUtils.clear(testFolder, user.getPrincipal().getName());
session.save();
session.logout();
repositoryStore.close();
((JackrabbitRepository) repository).shutdown();
}
{code}
> ACL of versioned node can be modified without checking in the node
> --
>
> Key: OAK-6015
> URL: https://issues.apache.org/jira/browse/OAK-6015
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
>Affects Versions: 1.6.0
>Reporter: Marco Piovesana
>
> On a versione node _nodeA_ i can do:
> {{AccessControlUtils.clear(nodeA, userPrincipal)}}
> without having to checkin the node.
> After saving the session I tried to login as _userPrincipal_ and I couldn't
> find _nodeA_, so it seems that the clear operation did work even if the node
> was checked-out.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (OAK-6015) ACL of versioned node can be modified without checking in the node
[
https://issues.apache.org/jira/browse/OAK-6015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953089#comment-15953089
]
Marcel Reutegger commented on OAK-6015:
---
Can you please attach a test that reproduces the issue?
> ACL of versioned node can be modified without checking in the node
> --
>
> Key: OAK-6015
> URL: https://issues.apache.org/jira/browse/OAK-6015
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
>Affects Versions: 1.6.0
>Reporter: Marco Piovesana
>
> On a versione node _nodeA_ i can do:
> {{AccessControlUtils.clear(nodeA, userPrincipal)}}
> without having to checkin the node.
> After saving the session I tried to login as _userPrincipal_ and I couldn't
> find _nodeA_, so it seems that the clear operation did work even if the node
> was checked-out.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
