4 Replies Latest reply on Feb 10, 2015 2:06 PM by Osman Din

    ACLs not checked when updating properties

    Osman Din Newbie

      It seems that when a property is updated, the credentials are never checked (only upon creation). In the source code AbstractJcrProperty[0]  (or its set of sub-classes) seems to be missing any check.

       

      This happens with setValue().

       

      I'm assuming this is by design, but this seems to be a security loophole.

       

      [0] https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr/src/main/java/org/modeshape/jcr/AbstractJcrProperty.java