jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marco Piovesana (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OAK-4632) User with with just JCR_READ privilege can delete a node
Date Tue, 02 Aug 2016 15:59:20 GMT

     [ https://issues.apache.org/jira/browse/OAK-4632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Marco Piovesana updated OAK-4632:
---------------------------------
    Description: 
I have tow users: _admin_ and _userA_.
 _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete
the folder no exception is thrown and the folder is deleted. _admin_ however can still view
the node.

{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
        File driveFile = new File("/tmp/oakTest", "oakrepo");
        File repositoryFile = new File(driveFile, "repository");
        File dataStoreFile = new File(driveFile, "datastore");

        BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath());
        FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();

        NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
        Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl());

        Repository repository = jcr.createRepository();
        Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray()));
        UserManager userManager = ((SessionImpl) session).getUserManager();
        User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"),
null);
        session.save();

        Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder");
        folder.addMixin(JcrConstants.MIX_SHAREABLE);
        Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
        otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
        session.save();
        String path = otherFolder.getPath();
        AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(),
new String[]{Privilege.JCR_READ}, true);
        session.save();
        session.logout();
        session = repository.login(new SimpleCredentials("userA", "userA".toCharArray()));
        Node node = session.getNode(path);
        node.remove();
        boolean exist = session.itemExists(path);
    }
{code}



  was:
I have tow users: _admin_ and _userA_.
 _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries to delete
the folder no exception is thrown and the folder is deleted. Am I doing something wrong?

{code:title=DeleteTest.java|borderStyle=solid}
public void deleteWithoutPermission() throws IOException, RepositoryException {
        File driveFile = new File("/tmp/oakTest", "oakrepo");
        File repositoryFile = new File(driveFile, "repository");
        File dataStoreFile = new File(driveFile, "datastore");

        BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath());
        FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();

        NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
        Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl());

        Repository repository = jcr.createRepository();
        Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray()));
        UserManager userManager = ((SessionImpl) session).getUserManager();
        User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"),
null);
        session.save();

        Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder");
        folder.addMixin(JcrConstants.MIX_SHAREABLE);
        Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
        otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
        session.save();
        String path = otherFolder.getPath();
        AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(),
new String[]{Privilege.JCR_READ}, true);
        session.save();
        session.logout();
        session = repository.login(new SimpleCredentials("userA", "userA".toCharArray()));
        Node node = session.getNode(path);
        node.remove();
        boolean exist = session.itemExists(path);
    }
{code}




> User with with just JCR_READ privilege can delete a node
> --------------------------------------------------------
>
>                 Key: OAK-4632
>                 URL: https://issues.apache.org/jira/browse/OAK-4632
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.4.5
>            Reporter: Marco Piovesana
>
> I have tow users: _admin_ and _userA_.
>  _admin_ creates a folder and gives JCR_READ privilege to _userA_. When _userA_ tries
to delete the folder no exception is thrown and the folder is deleted. _admin_ however can
still view the node.
> {code:title=DeleteTest.java|borderStyle=solid}
> public void deleteWithoutPermission() throws IOException, RepositoryException {
>         File driveFile = new File("/tmp/oakTest", "oakrepo");
>         File repositoryFile = new File(driveFile, "repository");
>         File dataStoreFile = new File(driveFile, "datastore");
>         BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath());
>         FileStore repositoryStore = FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
>         NodeStore nodeStore = SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();
>         Jcr jcr = new Jcr(nodeStore).with(new InitialContent()).with(new SecurityProviderImpl());
>         Repository repository = jcr.createRepository();
>         Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray()));
>         UserManager userManager = ((SessionImpl) session).getUserManager();
>         User userA = userManager.createUser("userA", "userA", new UserPrincipal("userA"),
null);
>         session.save();
>         Node folder = JcrUtils.getOrAddFolder(session.getRootNode(), "myfolder");
>         folder.addMixin(JcrConstants.MIX_SHAREABLE);
>         Node otherFolder = JcrUtils.getOrAddFolder(folder, "otherFolder");
>         otherFolder.addMixin(JcrConstants.MIX_SHAREABLE);
>         session.save();
>         String path = otherFolder.getPath();
>         AccessControlUtils.addAccessControlEntry(session, otherFolder.getPath(), userA.getPrincipal(),
new String[]{Privilege.JCR_READ}, true);
>         session.save();
>         session.logout();
>         session = repository.login(new SimpleCredentials("userA", "userA".toCharArray()));
>         Node node = session.getNode(path);
>         node.remove();
>         boolean exist = session.itemExists(path);
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message