I'm creating a node with pretty strict ACLs so basically after the node is created nobody can read it anymore. Now when I login as a different user and query the main node via
it still returns a correct true/false depending on whether the node actually exists. If I call
I'm getting the (expected) AccessDeniedException.
I've checked the source code and see that hasNode never actually checks any ACLs. Is that the intended behaviour? This is (at least) a minor security risk, isn't it?
No, in this case hasNode should check READ permissions and return false. Feel free to open an issue. Thanks.