Uploaded image for project: 'ModeShape'
  1. ModeShape
  2. MODE-2408

JCR_MODIFY_ACCESS_CONTROL privilege not working as intended

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 4.2.0.Final
    • 4.1.0.Final
    • JCR
    • None

      If a parent node does not have the JCR_MODIFY_ACCESS_CONTROL privilege, ACL modifications on child nodes should not be allowed.

      If, however, a child node was added when the parent node had the JCR_MODIFY_ACCESS_CONTROL privilege, and at that time the child node was given an empty ACL list, it currently means that the ACLs can be modified on that child even after JCR_MODIFY_ACCESS_CONTROL was removed from the parent.

      I believe the problematic place is in AccessControlManagerImpl.hasPrivileges where a node with an empty ACL list always has all privileges.

            hchiorean Horia Chiorean (Inactive)
            jacobilsoe_jira Jacob Ilsø (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: