[jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
[
https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Piovesana updated OAK-4632:
-
Description:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
If i give to _userA_ the privilege to remove the node
(_Privilege.JCR_REMOVE_NODE_) nothing changes.
Is this the expected behaviour? How can i give to _userA_ the privilege to
completely remove the node (remove it also for _admin_)?
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
was:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
If i give to _userA_ the privilege to remove the node nothing changes.
Is this the expected behaviour? How can i give to _userA_ the privilege to
completely remove the node (remove it also for _admin_)?
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
> User with with just JCR_READ privilege can delete a node
>
>
> Key: OAK-4632
> URL: https://issues.apache.org/jira/browse/OAK-4
[jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
[
https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Piovesana updated OAK-4632:
-
Description:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
If i give to _userA_ the privilege to remove the node nothing changes.
Is this the expected behaviour? How can i give to _userA_ the privilege to
completely remove the node (remove it also for _admin_)?
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
was:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
> User with with just JCR_READ privilege can delete a node
>
>
> Key: OAK-4632
> URL: https://issues.apache.org/jira/browse/OAK-4632
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
>Affects Versions: 1.4.5
>Reporter: Marco Piovesana
>
> I have tow users: _admin_ and _userA_.
> _admin_ creates a folder
[jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
[
https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Piovesana updated OAK-4632:
-
Description:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted.
_admin_ however can still view the node.
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
was:
I have tow users: _admin_ and _userA_.
_admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_
tries to delete the folder no exception is thrown and the folder is deleted. Am
I doing something wrong?
{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
File driveFile = new File("/tmp/oakTest", "oakrepo");
File repositoryFile = new File(driveFile, "repository");
File dataStoreFile = new File(driveFile, "datastore");
BlobStore blobStore = new
FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new
SecurityProviderImpl());
Repository repository = jcr.createRepository();
Session session = repository.login(new SimpleCredentials("admin",
"admin".toCharArray()));
UserManager userManager = ((SessionImpl) session).getUserManager();
User userA = userManager.createUser("userA", "userA", new
UserPrincipal("userA"), null);
session.save();
Node folder = JcrUtils.getOrAddFolder(session.getRootNode(),
"myfolder");
folder.addMixin(JcrConstants.MIX_SHAREABLE);
Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
session.save();
String path = otherFolder.getPath();
AccessControlUtils.addAccessControlEntry(session,
otherFolder.getPath(), userA.getPrincipal(), new String[]{Privilege.JCR_READ},
true);
session.save();
session.logout();
session = repository.login(new SimpleCredentials("userA",
"userA".toCharArray()));
Node node = session.getNode(path);
node.remove();
boolean exist = session.itemExists(path);
}
{code}
> User with with just JCR_READ privilege can delete a node
>
>
> Key: OAK-4632
> URL: https://issues.apache.org/jira/browse/OAK-4632
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
>Affects Versions: 1.4.5
>Reporter: Marco Piovesana
>
> I have tow users: _admin_ and _userA_.
> _admin_ creates a folder and gives JCR_READ privilege to _userA_. When
> _userA_ tries to delete the folder no exception is thrown and the folder is
> deleted. _admin_ however can still view the node.
> {code:title=DeleteTest.java|borderSt
