[ https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marco Piovesana updated OAK-4632: --------------------------------- Summary: remove node behaviour (was: User with with just JCR_READ privilege can delete a node) > remove node behaviour > --------------------- > > Key: OAK-4632 > URL: https://issues.apache.org/jira/browse/OAK-4632 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core > Affects Versions: 1.4.5 > Reporter: Marco Piovesana > > I have tow users: _admin_ and _userA_. > _admin_ creates a folder and gives JCR_READ privilege to _userA_. When > _userA_ tries to delete the folder no exception is thrown and the folder is > deleted. _admin_ however can still view the node. > If i give to _userA_ the privilege to remove the node > (_Privilege.JCR_REMOVE_NODE_) nothing changes. > Is this the expected behaviour? How can i give to _userA_ the privilege to > completely remove the node (remove it also for _admin_)? > {code:title=DeleteTest.java|borderStyle=solid} > public void deleteWithoutPermission() throws IOException, RepositoryException > { > File driveFile = new File("/tmp/oakTest", "oakrepo"); > File repositoryFile = new File(driveFile, "repository"); > File dataStoreFile = new File(driveFile, "datastore"); > BlobStore blobStore = new > FileBlobStore(dataStoreFile.getAbsolutePath()); > FileStore repositoryStore = > FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create(); > NodeStore nodeStore = > SegmentNodeStore.newSegmentNodeStore(repositoryStore).create(); > Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new > SecurityProviderImpl()); > Repository repository = jcr.createRepository(); > Session session = repository.login(new SimpleCredentials("admin", > "admin".toCharArray())); > UserManager userManager = ((SessionImpl) session).getUserManager(); > User userA = userManager.createUser("userA", "userA", new > UserPrincipal("userA"), null); > session.save(); > Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), > "myfolder"); > folder.addMixin(JcrConstants.MIX_SHAREABLE); > Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder"); > otherFolder.addMixin(JcrConstants.MIX_SHAREABLE); > session.save(); > String path = otherFolder.getPath(); > AccessControlUtils.addAccessControlEntry(session, > otherFolder.getPath(), userA.getPrincipal(), new > String[]{Privilege.JCR_READ}, true); > session.save(); > session.logout(); > session = repository.login(new SimpleCredentials("userA", > "userA".toCharArray())); > Node node = session.getNode(path); > node.remove(); > boolean exist = session.itemExists(path); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)