[jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
[ https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Piovesana updated OAK-4632: - Description: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. If i give to _userA_ the privilege to remove the node (_Privilege.JCR_REMOVE_NODE_) nothing changes. Is this the expected behaviour? How can i give to _userA_ the privilege to completely remove the node (remove it also for _admin_)? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} was: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. If i give to _userA_ the privilege to remove the node nothing changes. Is this the expected behaviour? How can i give to _userA_ the privilege to completely remove the node (remove it also for _admin_)? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} > User with with just JCR_READ privilege can delete a node > > > Key: OAK-4632 > URL: https://issues.apache.org/jira/browse/OAK-4
[jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
[ https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Piovesana updated OAK-4632: - Description: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. If i give to _userA_ the privilege to remove the node nothing changes. Is this the expected behaviour? How can i give to _userA_ the privilege to completely remove the node (remove it also for _admin_)? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} was: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} > User with with just JCR_READ privilege can delete a node > > > Key: OAK-4632 > URL: https://issues.apache.org/jira/browse/OAK-4632 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core >Affects Versions: 1.4.5 >Reporter: Marco Piovesana > > I have tow users: _admin_ and _userA_. > _admin_ creates a folder
[jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
[ https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Piovesana updated OAK-4632: - Description: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. _admin_ however can still view the node. {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} was: I have tow users: _admin_ and _userA_. _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete the folder no exception is thrown and the folder is deleted. Am I doing something wrong? {code:title=DeleteTest.java|borderStyle=solid} public void deleteWithoutPermission() throws IOException, RepositoryException { File driveFile = new File("/tmp/oakTest", "oakrepo"); File repositoryFile = new File(driveFile, "repository"); File dataStoreFile = new File(driveFile, "datastore"); BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath()); FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl()); Repository repository = jcr.createRepository(); Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); UserManager userManager = ((SessionImpl) session).getUserManager(); User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"), null); session.save(); Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder"); folder.addMixin(JcrConstants.MIX_SHAREABLE); Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); session.save(); String path = otherFolder.getPath(); AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ}, true); session.save(); session.logout(); session = repository.login(new SimpleCredentials("userA", "userA".toCharArray())); Node node = session.getNode(path); node.remove(); boolean exist = session.itemExists(path); } {code} > User with with just JCR_READ privilege can delete a node > > > Key: OAK-4632 > URL: https://issues.apache.org/jira/browse/OAK-4632 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core >Affects Versions: 1.4.5 >Reporter: Marco Piovesana > > I have tow users: _admin_ and _userA_. > _admin_ creates a folder and gives JCR_READ privilege to _userA_. When > _userA_ tries to delete the folder no exception is thrown and the folder is > deleted. _admin_ however can still view the node. > {code:title=DeleteTest.java|borderSt