AccessControlManager#getEffectivePolicies(String) may expose AC content without
proper permissions
--------------------------------------------------------------------------------------------------
Key: JCR-2646
URL: https://issues.apache.org/jira/browse/JCR-2646
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: jackrabbit-core
Affects Versions: 2.1.0, 2.0.0
Reporter: angela
Assignee: angela
Priority: Minor
Fix For: 2.2.0
The implementation of AccessControlManager#getEffectivePolicies(String) in the
DefaultAccessManager only checks if the session is allowed
to read AC content at the specified path. However the result may also include
policies effective at absPath that should not be visible to the editing
session (read_AC permissions denied e.g. at an ancestor node) and could not be
read by the editing session be means of #getPolicies().
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
