[MAGNOLIA-2674] User permissions are not checked consistently when removing node data Created: 31/Mar/09  Updated: 23/Jan/13  Resolved: 04/May/09

Status: Closed
Project: Magnolia
Component/s: core, security
Affects Version/s: 4.0.1, 3.6.5
Fix Version/s: 4.1, 3.6.6, 4.0.2

Type: Bug Priority: Critical
Reporter: Jan Haderka Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
dependency
is depended upon by MAGNOLIA-2656 Unable to delete superuser email addr... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

When removing node data using hm.getRoot().delete(String path) where path points to node data, the whole path is asserted when checking permissions as expected. However when removing very same node data using hm.getContent(String parentPath).deleteNodeData(String name) where parentPath + "/" + "name" == path the remove permission of the parent node is checked instead of remove permission of the node data.



 Comments   
Comment by Jan Haderka [ 31/Mar/09 ]

Done as of r24077 on trunk, r24080 on 3.6 branch and r24081 on 4.0 branch.

Comment by Philipp Bärfuss [ 15/Apr/09 ]

I know I am a bit late with my comment but the deletion is a modification of the parent. Same schema is applied for unix file system permissions for instance.

Comment by Philipp Bärfuss [ 24/Apr/09 ]

I am not sure if the current fix is OK (see comment above) and reopen not to forget about it.

Comment by Jan Haderka [ 27/Apr/09 ]

The main point here was inconsistency. We were already doing this in one method, but not in the other.
I'm fine following unix perm scheme, as long as we change the piece of code that tries to remove node data when setting it's value to empty string. This in combination with unix perm scheme makes it impossible to set proper permissions for a node in some situations.

Comment by Philipp Bärfuss [ 04/May/09 ]

For time being we accept that fix as it solves related issues. I have created a wiki page on which I started to collect security/ACL related issues.

http://wiki.magnolia-cms.com/display/DEV/Concept+Security+and+ACLs

Generated at Mon Feb 12 03:39:00 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.