1 Reply Latest reply on Jan 26, 2015 12:16 PM by hchiorean

    Node ACLs not checked when calling "hasNode"


      I'm creating a node with pretty strict ACLs so basically after the node is created nobody can read it anymore. Now when I login as a different user and query the main node via




      it still returns a correct true/false depending on whether the node actually exists. If I call




      I'm getting the (expected) AccessDeniedException.


      I've checked the source code and see that hasNode never actually checks any ACLs. Is that the intended behaviour? This is (at least) a minor security risk, isn't it?