Issue Details (XML | Word | Printable)

Key: KERN-693
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Unassigned
Reporter: Oszkar Nagy
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Nakamura

Can't move site node - access denied

Created: 09-Mar-2010 04:16   Updated: 02-Apr-2010 09:39
Component/s: Authorization - ACL
Affects Version/s: 0.3
Fix Version/s: 0.5

Time Tracking:
Original Estimate: 4 hours
Original Estimate - 4 hours
Remaining Estimate: 4 hours
Remaining Estimate - 4 hours
Time Spent: Not Specified
Remaining Estimate - 4 hours

Environment: OSX 10.5, java 1.5
Issue Links:
Depend
 


 Description  « Hide
While trying to fix SAKIII-33, I run into a mysterious access denied exception while moving a site node:

When trying to move "/sites/test" to "/sites/asd" I get a 500 with the following error (moving with doing a POST with ":operation":"move" ":dest":"newURL"):

<head>
    <title>Error while processing /sites/test</title>
</head>
    <body>
    <h1>Error while processing /sites/test</h1>
    <table>
        <tbody>
            <tr>
                <td>Status</td>
                <td><div id="Status">500</div></td>
            </tr>
            <tr>
                <td>Message</td>
                <td><div id="Message">javax.jcr.AccessDeniedException: Not allowed to move node /sites/test to /sites/asd</div></td>
            </tr>
            <tr>
                <td>Location</td>
                <td><a href="/sites/test" id="Location">/sites/test</a></td>
            </tr>
            <tr>
                <td>Parent Location</td>
                <td><a href="/sites" id="ParentLocation">/sites</a></td>
            </tr>
            <tr>
                <td>Path</td>
                <td><div id="Path">/sites/test</div></td>
            </tr>
            <tr>
                <td>Referer</td>
                <td><a href="http://localhost:8080/dev/site_management_basic_settings.html?siteid=&siteid=test" id="Referer">http://localhost:8080/dev/site_management_basic_settings.html?siteid=&siteid=test&lt;/a&gt;&lt;/td>
            </tr>
            <tr>
                <td>ChangeLog</td>
                <td><div id="ChangeLog"><pre></pre></div></td>
            </tr>
        </tbody>
    </table>
    <p><a href="http://localhost:8080/dev/site_management_basic_settings.html?siteid=&siteid=test">Go Back</a></p>
    <p><a href="/sites/test">Modified Resource</a></p>
    <p><a href="/sites">Parent of Modified Resource</a></p>
    </body>
</html>


My site node looks like this:
{

    * sakai:is-site-template: false
    * jcr:isCheckedOut: true
    * jcr:versionHistory: "a2b32f54-804e-4325-bad2-107be877d8bf"
    * language: "default"
    * id: "test"
    *
      -
      sakai:rolemembers: [
          o "g-91ee9eaf-2e53-478f-bdb6-8c40085d2d43-viewers"
          o "g-91ee9eaf-2e53-478f-bdb6-8c40085d2d43-collaborators"
      ]
    * sling:resourceType: "sakai/site"
    * sakai:site-template: "/templates/template"
    *
      -
      sakai:authorizables: [
          o "g-91ee9eaf-2e53-478f-bdb6-8c40085d2d43-viewers"
          o "g-91ee9eaf-2e53-478f-bdb6-8c40085d2d43-collaborators"
      ]
    *
      -
      jcr:mixinTypes: [
          o "rep:AccessControllable"
          o "mix:versionable"
      ]
    * name: "Life of wookies"
    *
      -
      jcr:predecessors: [
          o "c4c23041-d7d6-4ce9-9146-32d6ea562b4d"
      ]
    * access: "everyone"
    *
      -
      sakai:roles: [
          o "Viewer"
          o "Collaborator"
      ]
    * sakai:skin: "/dev/_skins/original/original.html"
    * jcr:baseVersion: "c4c23041-d7d6-4ce9-9146-32d6ea562b4d"
    * status: "online"
    * sakai:savedBy: "oszkar"
    * jcr:primaryType: "nt:unstructured"
    * jcr:uuid: "91ee9eaf-2e53-478f-bdb6-8c40085d2d43"
    * :isMaintainer: true

}

When trying to do this I am logged in with the user which created the site.









 All   Comments   Work Log   Change History   Subversion Commits   git Commits      Sort Order: Ascending order - Click to sort in descending order
Oszkar Nagy made changes - 09-Mar-2010 04:20
Field Original Value New Value
Link This issue is depended on by SAKIII-33 [ SAKIII-33 ]
Oszkar Nagy made changes - 26-Mar-2010 05:06
Link This issue is depended on by SAKIII-294 [ SAKIII-294 ]
Ian Boston made changes - 26-Mar-2010 23:58
Original Estimate 4 hours [ 14400 ]
Remaining Estimate 4 hours [ 14400 ]
Fix Version/s 0.5 [ 11777 ]
[ Permlink | « Hide ]
Oszkar Nagy added a comment - 29-Mar-2010 07:23
This issue is present in 0.4 as well with JCR 2.

Adding info from log:

29.03.2010 15:20:04.765 *ERROR* [127.0.0.1 [1269872404759] POST /sites/test2 HTTP/1.1] org.apache.sling.servlets.post.impl.operations.MoveOperation Exception during response processing. javax.jcr.AccessDeniedException: Not allowed to move node /sites/test2 to /sites/pupeka
at org.apache.jackrabbit.core.SessionImpl.move(SessionImpl.java:1109)
at org.apache.sling.servlets.post.impl.operations.MoveOperation.execute(MoveOperation.java:58)
at org.apache.sling.servlets.post.impl.operations.AbstractCopyMoveOperation.doRun(AbstractCopyMoveOperation.java:111)
at org.apache.sling.servlets.post.AbstractSlingPostOperation.run(AbstractSlingPostOperation.java:87)
at org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:178)
at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:143)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:338)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:369)
at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:525)
at org.apache.sling.engine.impl.SlingMainServlet.processRequest(SlingMainServlet.java:421)
at org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSlingFilterChain.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:64)
at org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter.doFilter(RequestProgressTrackerLogFilter.java:59)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
at org.sakaiproject.nakamura.persistence.TransactionManagerFilter.doFilter(TransactionManagerFilter.java:95)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
at org.sakaiproject.nakamura.cluster.ClusterTrackingFilter.doFilter(ClusterTrackingFilter.java:87)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:60)
at org.apache.sling.engine.impl.SlingMainServlet.service(SlingMainServlet.java:306)
at org.apache.sling.engine.impl.SlingMainServlet.service(SlingMainServlet.java:202)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:389)
at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:111)
at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:535)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:880)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:747)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:520)

Repository Revision Date Author/Committer Message
3akai-ux commit 69d3458465a2d558d3a47d42edacde32ae3d1936 1269873043 -----p Mon Mar 29 07:30:43 PDT 2010 oszkarnagy / oszkarnagy SAKIII-33 Added move operation after url change, but commented until KERN-693 is fixed
Files Changed
MODIFY README.md
MODIFY dev/_configuration/config.js
MODIFY dev/_javascript/site_basic_settings.js

Ray Davis made changes - 30-Mar-2010 09:32
Assignee Ray Davis [ raydavis ]
Ray Davis made changes - 30-Mar-2010 09:32
Status Open [ 1 ] In Progress [ 3 ]
[ Permlink | « Hide ]
Ray Davis added a comment - 30-Mar-2010 11:34
This is specifically an issue when moving a site to a new location under "/sites". The "/sites" root node is not writable via normal JCR privileges. Instead, the site-create servlet uses a component-specific pseudo-privilege property to decide whether the current user can add children to the node. (This is the logic that kicks in when the client posts to "/sites.createsite".) The same pseudo-privilege needs to somehow be supported for move and copy operations.

My initial test seems to indicate that it *is* possible to move an existing site so long as the user has proper access to the destination parent node.

[ Permlink | « Hide ]
Ray Davis added a comment - 30-Mar-2010 14:41
Sling's usual recommendation for adding resourceType-specific functionality to the normal SlingPostServlet is via a SlingPostProcessor. (That's how the Site component handles site access-scheme updates, for example.) But IIRC when I tried a couple of months ago, I found that a post-processor *on* a resource doesn't help much with opening up access *to* the resource, and I also had problems trying to use a request wrapper to get around normal access controls. So there may not be as clean a fix as I'd like.

[ Permlink | « Hide ]
Ray Davis added a comment - 30-Mar-2010 14:53
One way to approach this would be to add two new parameters to the "createsite" POST API:

":moveFrom" = the existing site which should be moved to the ":sitepath" location

":copyFrom" = the existing site which should be copied to the ":sitepath" location

Like I say, not squeaky clean, but at least it would keep the site-creation access check in one place.

Repository Revision Date Author/Committer Message
3akai-ux commit 0be1a7bf859c2fe130d5ab7f2babf410ac0e1207 1269988639 -----p Tue Mar 30 15:37:19 PDT 2010 Christian Vuerings / Christian Vuerings Merge branch 'master' into sakiii-297

* master:
  SAKIII-33 Added move operation after url change, but commented until KERN-693 is fixed
  Cosmetic readme changes
  Readme fixes
  Updated README for Github
  Removed checklist.txt as it is irrelevant now
  SAKIII-26 changes to profile_edit.js to add ajax spinner when saving data
Files Changed

[ Permlink | « Hide ]
Ray Davis added a comment - 01-Apr-2010 10:01
Checked in fix as http://github.com/raydavis/open-experiments/commit/1aee2eb5f35819e8d94399c621944d6d56a7cde2

That commit includes some pretty massive refactoring to deal with the four-way workflow. On the plus side, that should make it easier to extract these operations into server-side services should the need arise.

I'll leave this task assigned to me and unresolved until Ian merges and I've updated the client-server documentation on Confluence.

Ray Davis made changes - 02-Apr-2010 09:38
Status In Progress [ 3 ] Open [ 1 ]
[ Permlink | « Hide ]
Ray Davis added a comment - 02-Apr-2010 09:39
Ian has merged and I've updated <http://confluence.sakaiproject.org//x/GIDzAQ>.

Ray Davis made changes - 02-Apr-2010 09:39
Status Open [ 1 ] Resolved [ 5 ]
Assignee Ray Davis [ raydavis ]
Resolution Fixed [ 1 ]
Repository Revision Date Author/Committer Message
3akai-ux commit b0ef2b5c767d49d03b2985b23ba21dcbbd368206 1270722076 -----p Thu Apr 08 03:21:16 PDT 2010 Simon G / Simon G Merge remote branch 'oszkar/master'

* oszkar/master: (24 commits)
  SAKIII-53 Removed JAR creation from Ant script as Maven does this now in OSGI compatible way
  We can be less agressive about the previous update
  At Ian's suggestion, go back to inheriting from the Nakamura base POM
  More release-related copy-and-paste which I can't realistically test myself
  Update for newer Nakamura code; take Ant task into account; unable to fully test sakai-release or to check that redeploy works (since the UX is still out of synch with Nakamura)
  Maven POM for 3akai UX. I've been using this successfully in development on a couple of other tasks, so it seems worth stashing in a named branch until I'm ready to request a merge.
  SAKIII-303 - put the toJSON in the saveJSON function in Sakai magic + updated the widgets that use it.
  Cosmetic CSS change on Comments widget
  SAKIII-300 - change the path of the profile pic
  Pager fixes
  SAKIII-297 - updated some more widgets to make them work with the latest save/load widget data
  SAKIII-302 Updated message search service paths
  SAKIII-301 changes to createsite.js to alert if siteid taken
  SAKIII-286 changes to inbox css to address IE7 issue
  SAKIII-297 - got the poll widget working again
  SAKIII-297 - made modifications to the poll widget to make it work with the new save functionality
  SAKIII-297 - second round of patches
  SAKIII-33 Added move operation after url change, but commented until KERN-693 is fixed
  Cosmetic readme changes
  Readme fixes
  ...
Files Changed


Powered by a free Atlassian JIRA open source license for Sakai Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators