jsr-283
  1. jsr-283
  2. JSR_283-766

Inconsistency between Item.remove and Session.removeItem

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: current
    • Fix Version/s: milestone 1
    • Component/s: general
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      766

      Description

      When an attempt is made to remove a node and that node or a subnode is the target of a hidden
      reference (a reference which the current session cannot see) then the behavior of these two methods
      differs:

      Item.remove immediately throws a AccessDeniedException (the more conventional case of an non-
      hidden refence is handled by a ReferentialIntegrityException upon save)

      Session.removeItem immediately throws a PathNotFoundException.

      The latter was, I think, a misguided attempt to "cleverly" conceal from the client that a hidden reference
      exists (an alleged security hole) but this doesn't work anyway since the client can always try to get the
      node via getNode and find out that the PathNotFound is bogus.

      So I suggest we add AccessDeniedException to Session.removeItem for the case of the hidden reference
      and reserve PathNotFound to when there really is no path visible.

        Activity

        Hide
        Peeter Piegaze added a comment -

        Fixed as proposed

        Show
        Peeter Piegaze added a comment - Fixed as proposed

          People

          • Assignee:
            jsr-283-issues
            Reporter:
            Peeter Piegaze
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: