1 Reply Latest reply on Jan 26, 2015 12:16 PM by hchiorean

Node ACLs not checked when calling "hasNode"

janpetzold Jan 26, 2015 11:10 AM

I'm creating a node with pretty strict ACLs so basically after the node is created nobody can read it anymore. Now when I login as a different user and query the main node via

node.hasNode("foo");

it still returns a correct true/false depending on whether the node actually exists. If I call

node.getNode("foo");

I'm getting the (expected) AccessDeniedException.

I've checked the source code and see that hasNode never actually checks any ACLs. Is that the intended behaviour? This is (at least) a minor security risk, isn't it?

1. Re: Node ACLs not checked when calling "hasNode"

hchiorean Jan 26, 2015 12:16 PM (in response to janpetzold)

No, in this case hasNode should check READ permissions and return false. Feel free to open an issue. Thanks.
1 of 1 people found this helpful
Actions