Uploaded image for project: 'ModeShape'
  1. ModeShape
  2. MODE-2354

JcrTools authorization issue while create child nodes

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.0.0.Final
    • Fix Version/s: 4.1.0.Final
    • Component/s: None
    • Labels:
      None

      Description

      We discovered an authorization issue in fcrepo4 that is stemming from modeshape's jcr.api.JcrTools.
      https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr-api/src/main/java/org/modeshape/jcr/api/JcrTools.java#L415

      This happens when an user tries create a node under a node he has permissions for, but lacks the permission to its ancestoral-parent.

      For example, when an user has permission for /parent/child/grandchild, but not to /parent, the request to create /parent/child/grandchild/progeny is denied.

      https://developer.jboss.org/thread/249962

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mohideen Mohamed Abdul Rasheed
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: