[PAGES-1325] info.magnolia.rendering.spa.rest.v2.JcrPagesDeliveryEndpoint#createMissingAreaNodes function in should be executed in system context Created: 31/Aug/23  Updated: 25/Oct/23  Resolved: 13/Sep/23

Status: Closed
Project: Magnolia pages module
Component/s: None
Affects Version/s: None
Fix Version/s: 6.3.0, 6.2.31

Type: Bug Priority: Neutral
Reporter: Riste Drangovski Assignee: Dai Ha
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: 0d Remaining Estimate: 0d
Σ Time Spent: 1d 2.5h Time Spent: 1d 2.5h
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File Screenshot 2023-08-31 at 15.55.48.png    
Issue Links:
Relates
relates to PAGES-1341 Avoid trigger JCR node.add() operatio... Open
dependency
is depended upon by PAGES-1330 Add more test usecases for component ... Accepted
Sub-Tasks:
Key
Summary
Type
Status
Assignee
PAGES-1326 Implement Sub-task Closed Dai Ha  
PAGES-1327 Review Sub-task Closed Oanh Thai Hoang  
PAGES-1328 piQA Sub-task Closed Oanh Thai Hoang  
PAGES-1329 QA Sub-task Closed Anh Vu  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Date of First Response:
Epic Link: Support
Sprint: DevX 46
Story Points: 3
Team: DeveloperX
Work Started:
Approved:
Yes

 Description   

info.magnolia.rendering.spa.rest.v2.JcrPagesDeliveryEndpoint#createMissingAreaNodes

should be executed in system context, because this function adds missing inherited nodes

if you don't set bypassWorkspaceAcls=true in delivery endpoint definition, then you need to add write permission to the anonymous user so that missing area nodes can be created!
Otherwise you'll get javax.jcr.AccessDeniedException: Access denied. exception!



 Comments   
Comment by Riste Drangovski [ 31/Aug/23 ]

this is also a problem for autogenerated components, because autogenerated components should be created when REST API is called directly!

Comment by Dai Ha [ 07/Sep/23 ]

Discovery result: 
JcrPagesDeliveryEndpoint might require addNode operation for generating missing area node purpose. Since all delivery endpoint was designed to return node within a read-only session, using those nodes for add* operations will fail with Access Denied.
Fix:
For the ONLY need of generating missing area, the node will be retrieved again in system context to allow WRITE-WITHOUT-SAVE operation.

Comment by Riste Drangovski [ 14/Sep/23 ]

looks good, thx

Generated at Mon Feb 12 06:27:10 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.