[sling-org-apache-sling-jcr-jackrabbit-accessmanager] branch master updated: SLING-8812 DeleteAce request should return a meaningful error message when an invalid principalId is submitted

[enorman]

This is an automated email from the ASF dual-hosted git repository.

enorman pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-jackrabbit-accessmanager.git


The following commit(s) were added to refs/heads/master by this push:
     new 3011525  SLING-8812 DeleteAce request should return a meaningful error 
message when an invalid principalId is submitted
3011525 is described below

commit 3011525cddd608d74537f8428ed7d408e7526be8
Author: Eric Norman <enor...@apache.org>
AuthorDate: Mon Oct 28 13:56:28 2019 -0700

    SLING-8812 DeleteAce request should return a meaningful error message
    when an invalid principalId is submitted
---
 .../accessmanager/post/DeleteAcesServlet.java          | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
index f58eceb..baac3ac 100644
--- 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
+++ 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/DeleteAcesServlet.java
@@ -16,6 +16,7 @@
  */
 package org.apache.sling.jcr.jackrabbit.accessmanager.post;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -31,6 +32,7 @@ import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
 import javax.servlet.Servlet;
 
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.resource.ResourceNotFoundException;
 import org.apache.sling.jcr.base.util.AccessControlUtil;
@@ -156,6 +158,22 @@ public class DeleteAcesServlet extends 
AbstractAccessPostServlet implements Dele
                        Set<String> pidSet = new HashSet<String>();
                        pidSet.addAll(Arrays.asList(principalNamesToDelete));
 
+                       // validate that the submitted names are valid
+                       Set<String> notFound = null;
+                       PrincipalManager principalManager = 
AccessControlUtil.getPrincipalManager(jcrSession);
+                       for (String pid : pidSet) {
+                               Principal principal = 
principalManager.getPrincipal(pid);
+                               if (principal == null) {
+                                       if (notFound == null) {
+                                               notFound = new HashSet<>();
+                                       }
+                                       notFound.add(pid);
+                               }
+                       }
+                       if (notFound != null && !notFound.isEmpty()) {
+                               throw new RepositoryException("Invalid 
principalId was submitted.");
+                       }
+                       
                        try {
                                AccessControlManager accessControlManager = 
AccessControlUtil.getAccessControlManager(jcrSession);
                                AccessControlList updatedAcl = 
getAccessControlListOrNull(accessControlManager, resourcePath, false);