Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.2.0.Final
    • Fix Version/s: 4.3.0.Final
    • Component/s: Security
    • Labels:
      None

      Description

      JcrSession.JcrPresave.aclMetadataRefresh might inadvertently disable ACL check even though nodes with ACLs still exist.

      1. Create a node with two ACLs (ModeShapeLexicon.ACL_COUNT is now 2)
      2. Make a copy of the node using session.getWorkspace().copy (ModeShapeLexicon.ACL_COUNT is now 2)
      3. Remove the two ACLs of the copied node (ModeShapeLexicon.ACL_COUNT is now 0)
      4. aclMetadataRefresh now disables ACL checks globally (repository().repositoryCache().setAccessControlEnabled(false))

      This means that no ACL check will be done on the node created in step 1 even though the node still has ACLs. I do not know if other operations than copy exhibit similar behaviour.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                hchiorean Horia Chiorean
                Reporter:
                jacobilsoe Jacob Ilsø
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: