Author: enorman
Date: Sun Feb 28 19:44:54 2010
New Revision: 917278
URL: http://svn.apache.org/viewvc?rev=917278&view=rev
Log:
SLING-1413 - In Jackrabbit 2.0, Privileges can now be denied for Groups. The
ModifyAceServlet and security ContentLoader should allow it as well.
Modified:
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp
sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
Modified:
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
URL:
http://svn.apache.org/viewvc/sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java?rev=917278&r1=917277&r2=917278&view=diff
==============================================================================
---
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
(original)
+++
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
Sun Feb 28 19:44:54 2010
@@ -316,20 +316,18 @@
acl.addAccessControlEntry(principal,
grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
}
- //if the authorizable is a user (not a group) process any denied
privileges
+ //process any denied privileges
UserManager userManager = getUserManager(session);
Authorizable authorizable = userManager.getAuthorizable(principal);
- if (!authorizable.isGroup()) {
- //add a fresh ACE with the denied privileges
- List<Privilege> deniedPrivilegeList = new
ArrayList<Privilege>();
- for (String name : newDeniedPrivilegeNames) {
- Privilege privilege =
accessControlManager.privilegeFromName(name);
- deniedPrivilegeList.add(privilege);
- }
- if (deniedPrivilegeList.size() > 0) {
- addEntry(acl, principal,
deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false);
- }
- }
+ //add a fresh ACE with the denied privileges
+ List<Privilege> deniedPrivilegeList = new
ArrayList<Privilege>();
+ for (String name : newDeniedPrivilegeNames) {
+ Privilege privilege =
accessControlManager.privilegeFromName(name);
+ deniedPrivilegeList.add(privilege);
+ }
+ if (deniedPrivilegeList.size() > 0) {
+ addEntry(acl, principal,
deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false);
+ }
accessControlManager.setPolicy(resourcePath, acl);
if (log.isDebugEnabled()) {
Modified:
sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp
URL:
http://svn.apache.org/viewvc/sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp?rev=917278&r1=917277&r2=917278&view=diff
==============================================================================
---
sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp
(original)
+++
sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp
Sun Feb 28 19:44:54 2010
@@ -5,14 +5,12 @@
response.sendError(404);
} else {
var principalId = request.getParameter("pid");
- var isUser = false;
var isValidPrincipal = false;
if (principalId != null && principalId != "") {
var userManager =
Packages.org.apache.sling.jcr.base.util.AccessControlUtil.getUserManager(currentNode.session);
if (userManager != null) {
var authorizable = userManager.getAuthorizable(principalId);
if (authorizable != null) {
- isUser = !authorizable.isGroup();
isValidPrincipal = true;
} else {
//no user/group matches the supplied principal id
@@ -72,12 +70,10 @@
<table width="100%">
<thead>
<tr>
- <th align="left" width="<%=isUser ? '70%' :
'55%'%>">Privilege</th>
+ <th align="left" width="55%">Privilege</th>
<th align="center" width="15%">Ignored</th>
<th align="center" width="15%">Granted</th>
- <% if (isUser) { %>
<th align="center" width="15%">Denied</th>
- <% } %>
</tr>
</thead>
<tbody>
@@ -86,12 +82,10 @@
var p = supported[i];
%>
<tr>
- <td align="left" width="<%=isUser ? '70%' :
'55%'%>"><%=p.getName()%></td>
+ <td align="left" width="55%"><%=p.getName()%></td>
<td align="center" width="15%"><input type="radio"
name="privilege@<%=p.getName()%>" value="none" <%=granted.contains(p) ||
denied.contains(p) ? "" : "checked"%> /></td>
<td align="center" width="15%"><input type="radio"
name="privilege@<%=p.getName()%>" value="granted" <%=granted.contains(p) ?
"checked" : ""%> /></td>
- <% if (isUser) { %>
<td align="center" width="15%"><input type="radio"
name="privilege@<%=p.getName()%>" value="denied" <%=denied.contains(p) ?
"checked" : ""%> /></td>
- <% } %>
</tr>
<%
}
@@ -99,7 +93,7 @@
</tbody>
<tfoot>
<tr>
- <td colspan="<%=isUser ? '3' : '2'%>"></td>
+ <td colspan="3"></td>
<td align="center" width="15%">
<button accesskey="a" id="applyButton"
class="form-button" type="submit">Apply</button>
</td>
Modified:
sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
URL:
http://svn.apache.org/viewvc/sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java?rev=917278&r1=917277&r2=917278&view=diff
==============================================================================
---
sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
(original)
+++
sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
Sun Feb 28 19:44:54 2010
@@ -141,8 +141,9 @@
assertEquals(1, grantedArray.length());
assertEquals("jcr:read", grantedArray.getString(0));
- //denied rights are not applied for groups, so make sure it is
not there
- assertTrue(aceObject.isNull("denied"));
+ JSONArray deniedArray = aceObject.getJSONArray("denied");
+ assertNotNull(deniedArray);
+ assertEquals("jcr:write", deniedArray.getString(0));
}
/**
