Anshika Agarwal created JCRVLT-94:
-------------------------------------
Summary: [AccessControlHandling] Unexpected behavior of acHandling
'merge'
Key: JCRVLT-94
URL: https://issues.apache.org/jira/browse/JCRVLT-94
Project: Jackrabbit FileVault
Issue Type: Bug
Components: vlt
Affects Versions: 3.1.22
Reporter: Anshika Agarwal
Fix For: 3.1.22
As per the document [0], the AccessControlHandling for 'merge' should be
merging access control provided with the package with the one in the content by
replacing the access control entries of corresponding principals (i.e. package
first).
This means if the package contains ACEs for a principal P, it should remove
all the ACEs for that principal in the content and add the ones in the package.
However, I am not seeing this expected behavior. The behavior I am seeing is as
follows:
- ‘merge’ - Merges access control in the content with the one provided
with the package by adding the access control entries of principals not present
in the content but not removing the ones not present in the package.
For instance ACLs “jcr:read,jcr:versionManagement,rep:write” to forms-users
exists in CRX at ‘/content/apps/cm’. And now if we change the ACLs for the same
user/group and path to “rep:write,crx:replicate” and install our package, a
union of ACLs is seen i.e.
“jcr:read,jcr:versionManagement,rep:write,crx:replicate” to forms-users at
‘/content/apps/cm’.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
