Uploaded image for project: 'ModeShape'
  1. ModeShape
  2. MODE-2210

Session.getNodeByIdentifier does not check ACLs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 4.0.0.Alpha3, 3.7.4.Final, 3.8.0.Final
    • 3.4.0.Final, 3.5.0.Final, 3.6.0.Final, 3.6.1.Final, 3.7.0.Final, 3.7.1.Final, 3.7.2.Final, 4.0.0.Alpha2, 3.7.3.Final
    • JCR
    • None

    Description

      The Session.getNodeByIdentifier(String) method and the deprecated Session.getNodeByUUID(String) method do not check ACLs. This is not a problem when a repository does not use ACLs, but when it does these methods provide a security hole.

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) MODE-2211 Simplify ACL checks and make them more efficient

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Activity

            People

              rhauch Randall Hauch (Inactive)
              rhauch Randall Hauch (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: