do not expose UUID unless the node is referenceable #214
Comments
|
i think the actual bug here is something else: the property jcr:uuid of mix:referenceable is so i think at least after creation, you should never be allowed to change that value. i just experimented with the jackrabbit implementation in java, and it behaves horribly (jackrabbit 2.6.0):
when i add the mixin first, i get "ConstraintViolationException: Item is protected" so with jackrabbit, its not possible to manually decide on the uuid. imho the sane way would be to say:
|
not sure I understand .. we have been manually setting the UUID in PHPCR ODM for a while now. or are you saying that it cannot be changed manually? |
|
i think in jackalope-jackrabbit we allow to set it on creation. and the jackrabbit davex remoting allows to set it. later change is prevented by the jackrabbit server side. but the jackrabbit java code does not allow to ever set the uuid aparently. |
|
In our cases the phpcr-odm creates and sets the uuid, when the node got Seeing that i can't believe why the test does not fail for all implementations. Or is there a difference in setting that property between the implementations? Cause for some reasons, the example worked without setting |
|
ah, indeed the semantics should be that when mix:referenceable was newly added there is no jcr:uuid property until save. if you set it manually, you chose the uuid. after the save its autogenerated and becomes immutable. |
|
i think we do have part one, you can just set it. but when you have the mixin, validation should prevent changing that. i think we need a lot more of validating the node types in jackalope. in the beginning we just relied on the jackrabbit backend to do the validation (it does, but only at save) and have nothing for the doctrine transport. i thought there was a general issue about validation, but only found #171 |
|
From my POV the phpc-odm should have nothing to do with the implementations. @dbu you said same to me on an other issue. So i would expect that the uuid generation is a task of the implementation and the phpcr-odm should only do: |
|
the problem is that when we create documents that reference each other, we would need several save to get that right, or do a second iteration to link them together. and as all known phpcr implementations support setting the uuid when the node does not yet have a uuid we did it like that... i guess for this ticket: i would prevent writing jcr:uuid on a node that is not mix:referenceable. as its in the jcr namespace its ok to limit what may be done. this will solve this issue and reveal mistakes. i tend to want to keep our current logic that you can manually chose the uuid of a new node/newly made referenceable node for convenience. but surely not change it once it exists. |
|
+1 for the manual assignation of the UUID before the first save, it would be madly inefficient otherwise :) |
|
@dantleech with manually you mean, that the user, in our case phpcr-odm creates the uuid and sets it to node/document? |
|
yes, as we do now I believe |
|
hm, note that the jackalope change will prevent setting a uuid on a non-referenceable node, and will never expose a uuid on them. but if you look up the uuid in the database, searching for it will still work. not sure if we should care about that at all - can't really see when this is a problem. if people do horrible hacks with the db its their own loss... |
it seems we already have some logic in place for this https://github.com/jackalope/jackalope-doctrine-dbal/blob/master/src/Jackalope/Transport/DoctrineDBAL/Client.php#L1095
however while working on some issues in PHPCR ODM we noticed that it was possible to set a UUID (this might make sense) and then search by UUID even on a non referenceable node (this results in people being able to write code where all nodes behave like referenceable nodes which can lead to problems when migrating to a different backend).
The text was updated successfully, but these errors were encountered: