1 Reply Latest reply on Jan 26, 2015 12:16 PM by hchiorean

    Node ACLs not checked when calling "hasNode"

    janpetzold

      I'm creating a node with pretty strict ACLs so basically after the node is created nobody can read it anymore. Now when I login as a different user and query the main node via

       

      node.hasNode("foo");
      
      

       

      it still returns a correct true/false depending on whether the node actually exists. If I call

       

      node.getNode("foo");
      
      

       

      I'm getting the (expected) AccessDeniedException.

       

      I've checked the source code and see that hasNode never actually checks any ACLs. Is that the intended behaviour? This is (at least) a minor security risk, isn't it?