Author: enorman
Date: Wed Aug 14 05:28:14 2013
New Revision: 1513729
URL: http://svn.apache.org/r1513729
Log:
SLING-3010 integrate patch from Anjan. Added integration tests to guard against
future regressions.
Modified:
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
Modified:
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
URL:
http://svn.apache.org/viewvc/sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java?rev=1513729&r1=1513728&r2=1513729&view=diff
==============================================================================
---
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
(original)
+++
sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
Wed Aug 14 05:28:14 2013
@@ -484,6 +484,9 @@ public class AccessControlUtil {
if (privilege.isAggregate()) {
Privilege[] privileges =
privilege.getAggregatePrivileges();
for (Privilege disaggregate : privileges) {
+ if (disaggregate.isAggregate()) {
+ continue; //nested aggregate, so skip
it since the privileges are already included.
+ }
disaggregatedPrivilegeNames.add(disaggregate.getName());
}
} else {
Modified:
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
URL:
http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java?rev=1513729&r1=1513728&r2=1513729&view=diff
==============================================================================
---
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
(original)
+++
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
Wed Aug 14 05:28:14 2013
@@ -855,4 +855,140 @@ public class ModifyAceTest extends Abstr
JSONObject jsonObject = new JSONObject(json);
assertNotNull(jsonObject);
}
+
+
+ /**
+ * Test for SLING-3010
+ */
+ public void
testMergeAceForUserGrantNestedAggregatePrivilegeAfterDenySuperAggregatePrivilege()
throws IOException, JSONException {
+ testUserId = createTestUser();
+
+ testFolderUrl = createTestFolder();
+
+ String postUrl = testFolderUrl + ".modifyAce.json";
+
+ //1. setup an initial set of denied privileges for the test user
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", testUserId));
+ postParams.add(new
NameValuePair("privilege@jcr:versionManagement", "denied"));
+ postParams.add(new NameValuePair("privilege@jcr:read",
"denied"));
+ postParams.add(new
NameValuePair("privilege@jcr:modifyAccessControl", "denied"));
+ postParams.add(new NameValuePair("privilege@rep:write",
"denied"));
+
+ Credentials creds = new UsernamePasswordCredentials("admin",
"admin");
+ /*String json = */getAuthenticatedPostContent(creds, postUrl,
CONTENT_TYPE_JSON, postParams, HttpServletResponse.SC_OK);
+
+
+ //2. now grant the jcr:write subset from the rep:write aggregate
privilege
+ postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", testUserId));
+ postParams.add(new
NameValuePair("privilege@jcr:versionManagement", "granted"));
+ postParams.add(new NameValuePair("privilege@jcr:read",
"granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:modifyAccessControl", "granted"));
+ postParams.add(new NameValuePair("privilege@jcr:write",
"granted")); //sub-aggregate of rep:write
+
+ /*String json = */getAuthenticatedPostContent(creds, postUrl,
CONTENT_TYPE_JSON, postParams, HttpServletResponse.SC_OK);
+
+ //3. verify that the acl has the correct values
+ //fetch the JSON for the acl to verify the settings.
+ String getUrl = testFolderUrl + ".acl.json";
+
+ String json = getAuthenticatedContent(creds, getUrl,
CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+
+ JSONObject jsonObject = new JSONObject(json);
+ assertEquals(1, jsonObject.length());
+
+ JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+ assertNotNull(aceObject);
+
+ assertEquals(testUserId, aceObject.optString("principal"));
+
+ JSONArray grantedArray = aceObject.getJSONArray("granted");
+ assertNotNull(grantedArray);
+ assertEquals(4, grantedArray.length());
+ Set<String> grantedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < grantedArray.length(); i++) {
+ grantedPrivilegeNames.add(grantedArray.getString(i));
+ }
+
assertTrue(grantedPrivilegeNames.contains("jcr:versionManagement"));
+ assertTrue(grantedPrivilegeNames.contains("jcr:read"));
+
assertTrue(grantedPrivilegeNames.contains("jcr:modifyAccessControl"));
+ assertTrue(grantedPrivilegeNames.contains("jcr:write"));
+
+ JSONArray deniedArray = aceObject.getJSONArray("denied");
+ assertNotNull(deniedArray);
+ assertEquals(1, deniedArray.length());
+ Set<String> deniedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < deniedArray.length(); i++) {
+ deniedPrivilegeNames.add(deniedArray.getString(i));
+ }
+ //the leftovers from the denied rep:write that were not granted
with jcr:write
+
assertTrue(deniedPrivilegeNames.contains("jcr:nodeTypeManagement"));
+ }
+
+ /**
+ * Test for SLING-3010
+ */
+ public void
testMergeAceForUserGrantAggregatePrivilegePartsAfterDenyAggregatePrivilege()
throws IOException, JSONException {
+ testUserId = createTestUser();
+
+ testFolderUrl = createTestFolder();
+
+ String postUrl = testFolderUrl + ".modifyAce.json";
+
+ //1. setup an initial set of denied privileges for the test user
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", testUserId));
+ postParams.add(new
NameValuePair("privilege@jcr:versionManagement", "denied"));
+ postParams.add(new NameValuePair("privilege@jcr:read",
"denied"));
+ postParams.add(new
NameValuePair("privilege@jcr:modifyAccessControl", "denied"));
+ postParams.add(new NameValuePair("privilege@rep:write",
"denied"));
+
+ Credentials creds = new UsernamePasswordCredentials("admin",
"admin");
+ /*String json = */getAuthenticatedPostContent(creds, postUrl,
CONTENT_TYPE_JSON, postParams, HttpServletResponse.SC_OK);
+
+ //2. now grant the all the privileges contained in the rep:write
privilege
+ postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", testUserId));
+ postParams.add(new
NameValuePair("privilege@jcr:versionManagement", "granted"));
+ postParams.add(new NameValuePair("privilege@jcr:read",
"granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:modifyAccessControl", "granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:nodeTypeManagement", "granted")); //sub-privilege
of rep:write
+ postParams.add(new NameValuePair("privilege@jcr:write",
"granted")); //sub-aggregate of rep:write
+
+ /*String json = */getAuthenticatedPostContent(creds, postUrl,
CONTENT_TYPE_JSON, postParams, HttpServletResponse.SC_OK);
+
+ //3. verify that the acl has the correct values
+ //fetch the JSON for the acl to verify the settings.
+ String getUrl = testFolderUrl + ".acl.json";
+
+ String json = getAuthenticatedContent(creds, getUrl,
CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+
+ JSONObject jsonObject = new JSONObject(json);
+ assertEquals(1, jsonObject.length());
+
+ JSONObject aceObject = jsonObject.optJSONObject(testUserId);
+ assertNotNull(aceObject);
+
+ assertEquals(testUserId, aceObject.optString("principal"));
+
+ JSONArray grantedArray = aceObject.getJSONArray("granted");
+ assertNotNull(grantedArray);
+ assertEquals(4, grantedArray.length());
+ Set<String> grantedPrivilegeNames = new HashSet<String>();
+ for (int i=0; i < grantedArray.length(); i++) {
+ grantedPrivilegeNames.add(grantedArray.getString(i));
+ }
+
assertTrue(grantedPrivilegeNames.contains("jcr:versionManagement"));
+ assertTrue(grantedPrivilegeNames.contains("jcr:read"));
+
assertTrue(grantedPrivilegeNames.contains("jcr:modifyAccessControl"));
+ assertTrue(grantedPrivilegeNames.contains("rep:write"));
//jcr:nodeTypeManagement + jcr:write
+
+ //should be nothing left in the denied set.
+ JSONArray deniedArray = aceObject.optJSONArray("denied");
+ assertNull(deniedArray);
+ }
+
}
