On 30.09.11 15:48, "Markus Joschko" <[email protected]> wrote: >I am not completely sure on this. At the moment I am totally confused >about the behavior. >With a mix of davex client and serverside sessions I've seen the >described leakage: Only for newly created sessions the acls applied. > >On the other hand I just have written a test that works solely with an >embedded jackrabbit and two sessions (admin & user) and here security >seems to apply immediately on move, no leakage.
If you use Workspace.move() that this is working outside of a session (no session.save() needed), i.e. acts like a new session. >Should it really only work with newly created session then that is IMO >a security risk. Hmm, yes, maybe I am wrong :-) >In a setup like /departmentA/topsecret where topsecret is denied in >rep:glob, topsecret should certainly not be visible to anyone even >when the department is moved to /departmentB. Yes. Alex -- Alexander Klimetschek Developer // Adobe (Day) // Berlin - Basel
