Author: tolusha Date: 2010-11-01 06:04:33 -0400 (Mon, 01 Nov 2010) New Revision: 3371 Modified: jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/dataflow/ItemState.java jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java Log: JCR-1485: The access permission should be checked in the method readItem to ensure that the security cannot be avoided. The access permission should be checked only when apiRead == false since when apiRead == true we check the permissions at JCR level. Check also the access permission in the constructor of ItemState when isInternalCreated == true Modified: jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/dataflow/ItemState.java =================================================================== --- jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/dataflow/ItemState.java 2010-10-29 15:43:22 UTC (rev 3370) +++ jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/dataflow/ItemState.java 2010-11-01 10:04:33 UTC (rev 3371) @@ -18,6 +18,7 @@ */ package org.exoplatform.services.jcr.dataflow; +import org.exoplatform.services.jcr.core.security.JCRRuntimePermissions; import org.exoplatform.services.jcr.datamodel.ItemData; import org.exoplatform.services.jcr.datamodel.QPath; import org.exoplatform.services.log.ExoLogger; @@ -102,7 +103,7 @@ * @param ancestorToSave * - path of item which should be called in save (usually for session.move()) * @param isInternalCreated - * - indicates that item is created internaly by system + * - indicates that item is created internally by system */ public ItemState(ItemData data, int state, boolean eventFire, QPath ancestorToSave, boolean isInternalCreated) { @@ -112,6 +113,16 @@ public ItemState(ItemData data, int state, boolean eventFire, QPath ancestorToSave, boolean isInternalCreated, boolean isPersisted) { + if (isInternalCreated) + { + // Need privileges + SecurityManager security = System.getSecurityManager(); + if (security != null) + { + security.checkPermission(JCRRuntimePermissions.INVOKE_INTERNAL_API_PERMISSION); + } + } + this.data = data; this.state = state; this.eventFire = eventFire; @@ -208,6 +219,7 @@ return ancestorToSave; } + @Override public boolean equals(Object obj) { if (this == obj) Modified: jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java =================================================================== --- jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java 2010-10-29 15:43:22 UTC (rev 3370) +++ jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java 2010-11-01 10:04:33 UTC (rev 3371) @@ -357,13 +357,6 @@ public ItemImpl getItem(NodeData parent, QPathEntry name, boolean pool, ItemType itemType, boolean apiRead) throws RepositoryException { - // Need privileges - SecurityManager security = System.getSecurityManager(); - if (security != null) - { - security.checkPermission(JCRRuntimePermissions.INVOKE_INTERNAL_API_PERMISSION); - } - long start = System.currentTimeMillis(); if (log.isDebugEnabled()) { @@ -577,6 +570,16 @@ protected ItemImpl readItem(ItemData itemData, NodeData parent, boolean pool, boolean apiRead) throws RepositoryException { + if (!apiRead) + { + // Need privileges + SecurityManager security = System.getSecurityManager(); + if (security != null) + { + security.checkPermission(JCRRuntimePermissions.INVOKE_INTERNAL_API_PERMISSION); + } + } + if (itemData != null) { ItemImpl item; @@ -639,13 +642,6 @@ */ public ItemImpl getItemByIdentifier(String identifier, boolean pool, boolean apiRead) throws RepositoryException { - // Need privileges - SecurityManager security = System.getSecurityManager(); - if (security != null) - { - security.checkPermission(JCRRuntimePermissions.INVOKE_INTERNAL_API_PERMISSION); - } - long start = System.currentTimeMillis(); if (log.isDebugEnabled()) {