[
https://issues.apache.org/jira/browse/JCR-3758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved JCR-3758.
-------------------------
Resolution: Invalid
user principals always take precedence over group principals. so, in order to
make your setup work as expected you either have to deny access to the user
again or use group principals altogether (which is IMO better).
this is not a bug but works as designed.
> Adding 'deny' entry for Everyone principal to a subnode does not deny access
> to that node for principals defined on parent nodes
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: JCR-3758
> URL: https://issues.apache.org/jira/browse/JCR-3758
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Reporter: Dave Heath
> Attachments: Test_JCR3758.java
>
>
> If I wanted to have a user principal with access to an nt:folder node /a1 but
> no access to the subnode at /a1/a2, I should be able to grant access to that
> user principal on /a1 with Privilege.JCR_ALL and then call
> AccessControlUtils.denyAllToEveryone on /a1/a2. However, granting access on
> /a1 grants access to all subnodes of /a1 unless access is explicitly denied
> for that particular user principal. Denying access to Everyone is only
> effective if the Everyone principal is the means by which the user is granted
> access.
> See the attached test case for an example of this behavior.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
