AccessControlManager#getEffectivePolicies(String) may expose AC content without proper permissions --------------------------------------------------------------------------------------------------
Key: JCR-2646 URL: https://issues.apache.org/jira/browse/JCR-2646 Project: Jackrabbit Content Repository Issue Type: Bug Components: jackrabbit-core Affects Versions: 2.1.0, 2.0.0 Reporter: angela Assignee: angela Priority: Minor Fix For: 2.2.0 The implementation of AccessControlManager#getEffectivePolicies(String) in the DefaultAccessManager only checks if the session is allowed to read AC content at the specified path. However the result may also include policies effective at absPath that should not be visible to the editing session (read_AC permissions denied e.g. at an ancestor node) and could not be read by the editing session be means of #getPolicies(). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.