Skip to content

OAK-11733: Adding information to access denied #2300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: trunk
Choose a base branch
from
Open

OAK-11733: Adding information to access denied #2300

wants to merge 3 commits into from

Conversation

Amoratinos
Copy link
Contributor

When getting an access denied exception it's hard to identify the path and what was the options evaluated.

anchela
anchela approved these changes May 21, 2025
View reviewed changes
Copy link
Contributor

@anchela anchela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cschneider
Copy link

lgtm

@reschke
Copy link
Contributor

reschke commented May 22, 2025

@anchela - did you consider whether this could disclose information that the caller shouldn't get?

@Amoratinos
Copy link
Contributor Author

To my understanding it shouldn't be any risk as it's only revealing the path. Initially more information was exposed like the actions or the permissions requested but that was removed.

In my opinion, the method we should pay the most attention to is the one that receives the tree, the property state, and the actions, since this is the one used in multiple places. This checkPermissions is used on NodeImpl.addNode removeMixin addMixin methods and in ImporterImpl.createTree. The only scenario where I could foresee a risk is when the path of a node is used like an ID, e.g. node path represents a token or sth like, and I think that's an edge case.

@anchela
Copy link
Contributor

anchela commented May 22, 2025
edited
Loading

@reschke , i looked at all instances where the methods are being called today and didn't find how they would reveal the existence of a path it it would happen with itemExists or in the permissionvalidator.
if you happen to find a case, i am happy to be proven wrong.

having said that:
please check as well.... will wait for your explicit approval before merging it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anchela anchela anchela approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Amoratinos @cschneider @reschke @anchela