jackrabbit-oak icon indicating copy to clipboard operation
jackrabbit-oak copied to clipboard
verified publisher icon apache

OAK-11733: Adding information to access denied

Open Amoratinos opened this issue 9 months ago • 4 comments

When getting an access denied exception it's hard to identify the path and what was the options evaluated.

Amoratinos avatar May 21 '25 10:05 Amoratinos

lgtm

cschneider avatar May 22 '25 07:05 cschneider

@anchela - did you consider whether this could disclose information that the caller shouldn't get?

reschke avatar May 22 '25 12:05 reschke

To my understanding it shouldn't be any risk as it's only revealing the path. Initially more information was exposed like the actions or the permissions requested but that was removed.

In my opinion, the method we should pay the most attention to is the one that receives the tree, the property state, and the actions, since this is the one used in multiple places. This checkPermissions is used on NodeImpl.addNode removeMixin addMixin methods and in ImporterImpl.createTree. The only scenario where I could foresee a risk is when the path of a node is used like an ID, e.g. node path represents a token or sth like, and I think that's an edge case.

Amoratinos avatar May 22 '25 14:05 Amoratinos

@reschke , i looked at all instances where the methods are being called today and didn't find how they would reveal the existence of a path it it would happen with itemExists or in the permissionvalidator. if you happen to find a case, i am happy to be proven wrong.

having said that: please check as well.... will wait for your explicit approval before merging it

anchela avatar May 22 '25 16:05 anchela