Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 4.2.0.Final
Affects Version/s: 4.1.0.Final
Component/s: JCR
Labels:
None

Forum Reference:
https://developer.jboss.org/message/915450#915450
Git Pull Request:
https://github.com/ModeShape/modeshape/pull/1371

Description

If a parent node does not have the JCR_MODIFY_ACCESS_CONTROL privilege, ACL modifications on child nodes should not be allowed.

If, however, a child node was added when the parent node had the JCR_MODIFY_ACCESS_CONTROL privilege, and at that time the child node was given an empty ACL list, it currently means that the ACLs can be modified on that child even after JCR_MODIFY_ACCESS_CONTROL was removed from the parent.

I believe the problematic place is in AccessControlManagerImpl.hasPrivileges where a node with an empty ACL list always has all privileges.

Attachments

Activity

People

Assignee:: Horia Chiorean (Inactive)

Reporter:: Jacob Ilsø (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2015/01/09 6:29 AM

Updated:: 2015/01/13 11:36 AM

Resolved:: 2015/01/13 11:36 AM