I think you are right but the place to look at is enumeratePermissions. PropFindMethod:1298 Enumeration aclList = security.enumeratePermissions(slideToken, current);
I know there are some methods there without security checks but I thought they were only used internally. If you want add a checkCredentials in enumeratePermissions and test. Maybe create a bugzilla entry to not forget this. Nice catch Dirk "Hermann, Eckehard" wrote: > > Hi all, > > I would like to use the read-acl and write-acl permissions. For this I > defined the following permissions under configuration in the Domain.xml > file: > > <grant-permission>/administration/security/actions/write-acl</grant-permissi > on> > <revoke-permission>/administration/security/actions/write-acl</revoke-permis > sion> > <read-permissions>/administration/security/actions/read-acl</read-permission > s> > > If I define an ACL/ACE with the permission deny write-acl for a principal on > a special node and this principal tries to execute the ACL method at this > node, slide returns with forbidden. But if I define an ACE with the > permission deny read-acl for a principal at a node and the principal tries > to do a propfind acl, all acls are returned. I had a look into the > PropFindMethod.java and the retrieve() method of the StructureImpl.java and > it seems to me that just a CheckCredentails to read permission and not to > read-acl permission as well is done. > > Does anyone knows if I do anything wrong or if it is a bug, how it could be > fixed. > > regards Eckehard > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
