On Fri, Sep 30, 2011 at 3:06 PM, Alexander Klimetschek <[email protected]> wrote: > On 28.09.11 09:34, "Markus Joschko" <[email protected]> wrote: >>Yep, I tried a refresh on the session with no effect. I also fetch the >>node everytime again with the getNode(path) method on the session. >>Does anybody know if there is a difference in the permission handling >>between CRX and jackrabbit? >>How are the permissions cached and when is the cache invalidated? > > AFAIK if you change permissions, they will only apply to newly created > sessions.
I am not completely sure on this. At the moment I am totally confused about the behavior. With a mix of davex client and serverside sessions I've seen the described leakage: Only for newly created sessions the acls applied. On the other hand I just have written a test that works solely with an embedded jackrabbit and two sessions (admin & user) and here security seems to apply immediately on move, no leakage. Should it really only work with newly created session then that is IMO a security risk. In a setup like /departmentA/topsecret where topsecret is denied in rep:glob, topsecret should certainly not be visible to anyone even when the department is moved to /departmentB. As I said, I can not reproduce it programmatically but I am a bit uneasy about that at the moment. Regards, Markus > > Cheers, > Alex > > > -- > Alexander Klimetschek > Developer // Adobe (Day) // Berlin - Basel > > >
