2 Replies Latest reply on Jun 6, 2014 4:14 PM by ma6rl

    Should custom AuthorizationProvider be invoked for each child node when iterating through the child nodes of a parent node?

    ma6rl

      I am currently running ModeShape 4.0 Alpha 3 in Wildfly 8.1.

       

      I have a custom AuthorizationProvider implementation that I use to apply custom business logic when attempting to perform an action on a node.

       

      One thing that I have noticed is that if I execute the following code

       

      Set<String> nodes = new TreeSet<>();
      Node parentNode = repositorySession.getNode(parentPath);
      for (NodeIterator nodeIterator = parentNode.getNodes(); nodeIterator.hasNext(); ) {
          nodes.add(nodeIterator.nextNode().getPath());
      }
      

       

      my custom AuthorizationProvider is only called once for the parent node, it is not called for each of the child nodes that I retrieve via the iterator. Instead as long as my custom AuthorizationProvider allows me to read the parent node I can get all of the child nodes without checking that I have permission to do so.

       

      Is this the expected behavior (i.e. it is assumed that if you have access to the parent node you have access to the children)?

       

      I also performed the following test using a query and iterating through the nodes

       

      Set<String> nodes = new TreeSet<>();
      Node parentNode = repositorySession.getNode(parentPath);
      String queryString = "select node.[jcr:name] from [nt:unstructured] as node where node.[jcr:name] like '%" + nodeNamePattern + "%'";
      QueryResult queryResult = queryManager.createQuery(queryString, Query.JCR_SQL2).execute();
      for (NodeIterator nodeIterator = queryResult.getNodes(); nodeIterator.hasNext(); ) {
          nodes.add(nodeIterator.nextNode().getPath());
      }
      

       

      in this test my AuthorizationProvider was called for each node returned by the node iterator as expected. Given this should I use a query to retrieve the child nodes for a parent if I want to have my custom AuthorizationProvider called for each child node?

       

      Many thanks in advance.