4 Replies Latest reply on Feb 10, 2015 2:06 PM by osmandin

ACLs not checked when updating properties

osmandin Feb 10, 2015 10:42 AM

It seems that when a property is updated, the credentials are never checked (only upon creation). In the source code AbstractJcrProperty[0] (or its set of sub-classes) seems to be missing any check.

This happens with setValue().

I'm assuming this is by design, but this seems to be a security loophole.

[0] https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr/src/main/java/org/modeshape/jcr/AbstractJcrProperty.java

1. Re: ACLs not checked when updating properties

hchiorean Feb 10, 2015 10:26 AM (in response to osmandin)

Is the property updated via node.setProperty or property.setValue ?
Actions
2. Re: ACLs not checked when updating properties

osmandin Feb 10, 2015 12:40 PM (in response to hchiorean)

via property.setValue
Actions
3. Re: ACLs not checked when updating properties

hchiorean Feb 10, 2015 12:44 PM (in response to osmandin)

Then this looks like a bug. The code should be checking for the jcr:modifyProperties (or set_property) permission. Please open a ticket in our JIRA. Thanks.
Actions
4. Re: ACLs not checked when updating properties

osmandin Feb 10, 2015 2:06 PM (in response to hchiorean)

The issue has been filed. Thanks.

https://issues.jboss.org/browse/MODE-2428
Actions

Go to original post