Inconsistent access to EveryonePrincipal
----------------------------------------
Key: JCR-2801
URL: https://issues.apache.org/jira/browse/JCR-2801
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: jackrabbit-core
Affects Versions: 2.1.1
Reporter: Ray Davis
Jackrabbit's PrincipalManagerImpl lets any session retrieve the
EveryonePrincipal (whose name is "everyone") via the getEveryone() method. An
administrative session which calls getPrincipal("everyone") naturally retrieves
the same object. But a non-administrative session which calls
getPrincipal("everyone") will instead receive null.
The problem is caused by the DefaultPrincipalProvider, which refers to the
EveryonePrincipal in many other places (for example, always adding it to
getGroupMembership results), but does not allow for it in the canReadPrincipal
check.
This makes it more difficult for clients to manage default Jackrabbit ACLs. In
Apache Sling, for example, a non-administrative user with all privileges on a
Node will not be able to use Sling's usual ModifyAceServlet to deny "everyone"
access to that Node.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
