2 Replies Latest reply on Nov 6, 2014 10:44 AM by mohideen

    Modeshape authorization

    mohideen

      We discovered an authorization issue in fcrepo4 that is stemming from modeshape's jcr.api.JcrTools.

      https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr-api/src/main/java/org/modeshape/jcr/api/JcrTools.java#L415


      This happens when an user tries create a node under a node he has permissions for, but lacks the permission to its ancestoral-parent.


      For example, when an user has permission for /parent/child/grandchild, but not to /parent, the request to create /parent/child/grandchild/progeny is denied.

       

      Is this a known behavior?