[MAGNOLIA-2674] User permissions are not checked consistently when removing node data Created: 31/Mar/09 Updated: 23/Jan/13 Resolved: 04/May/09 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core, security |
| Affects Version/s: | 4.0.1, 3.6.5 |
| Fix Version/s: | 4.1, 3.6.6, 4.0.2 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Jan Haderka | Assignee: | Jan Haderka |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
When removing node data using hm.getRoot().delete(String path) where path points to node data, the whole path is asserted when checking permissions as expected. However when removing very same node data using hm.getContent(String parentPath).deleteNodeData(String name) where parentPath + "/" + "name" == path the remove permission of the parent node is checked instead of remove permission of the node data. |
| Comments |
| Comment by Jan Haderka [ 31/Mar/09 ] |
|
Done as of r24077 on trunk, r24080 on 3.6 branch and r24081 on 4.0 branch. |
| Comment by Philipp Bärfuss [ 15/Apr/09 ] |
|
I know I am a bit late with my comment but the deletion is a modification of the parent. Same schema is applied for unix file system permissions for instance. |
| Comment by Philipp Bärfuss [ 24/Apr/09 ] |
|
I am not sure if the current fix is OK (see comment above) and reopen not to forget about it. |
| Comment by Jan Haderka [ 27/Apr/09 ] |
|
The main point here was inconsistency. We were already doing this in one method, but not in the other. |
| Comment by Philipp Bärfuss [ 04/May/09 ] |
|
For time being we accept that fix as it solves related issues. I have created a wiki page on which I started to collect security/ACL related issues. http://wiki.magnolia-cms.com/display/DEV/Concept+Security+and+ACLs |