Details
-
Bug
-
Resolution: Done
-
Major
-
4.0.0.Final
-
None
-
None
Description
We discovered an authorization issue in fcrepo4 that is stemming from modeshape's jcr.api.JcrTools.
https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr-api/src/main/java/org/modeshape/jcr/api/JcrTools.java#L415
This happens when an user tries create a node under a node he has permissions for, but lacks the permission to its ancestoral-parent.
For example, when an user has permission for /parent/child/grandchild, but not to /parent, the request to create /parent/child/grandchild/progeny is denied.