[jira] [Commented] (JCRVLT-61) Allow AccessControllHandling be defined per filter root

Wed, 11 Nov 2015 10:09:04 -0800 

    [ 
https://issues.apache.org/jira/browse/JCRVLT-61?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15000812#comment-15000812
 ] 

Tobias Bocanegra commented on JCRVLT-61:
----------------------------------------

define _on a per entry level_ ? 

do you mean you want to define individual ACEs and define the order of them? 
how do you want to achieve this? and what is the use case?
also note, that the ACE entries are usually re-calculated when possible by the 
AccessControllManager. Also, VLT currently parses the ACEs and uses the 
AccessControlManager API directly to perform the operations (see 
{{org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter}}).

If we want to provide a more fine grained ACL manipulation, I suggest to come 
up with an alternative, more command based way.
eg:

{noformat}
# setup ACL based policy on /content
begin ACL on /content
  add grant jcr:all for everyone
end

# only allow jcr:read for user0
begin ACL on /content/secret
  add deny jcr:all for everyone
  add allow jcr:read for user0
end

# ensure that user1 has only read access. remove existing ACL
begin ACL on /content/update
  remove jcr:all for user1
  add allow jcr:read for user1
end

# ensure that deny for everyone comes first
begin ACL on /content
  add deny jcr:all everyone before *
end

# ensure that deny for user2 comes after everyone
begin ACL on /content
  add deny rep:write user2 after everyone
end
{noformat}

WDYT?

/cc [~anchela] 

> Allow AccessControllHandling be defined per filter root
> -------------------------------------------------------
>
>                 Key: JCRVLT-61
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-61
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: Packaging
>            Reporter: Tobias Bocanegra
>
> the current packaging only allows to specify the AccessControllHandling per 
> package. if one requires different behaviors for different content trees, the 
> only workaround today is to create sub-packages.
> it would be nice if the ac-control handling can be defined by workspace 
> filter root, similar to the iImportMode - or even tie the 
> AccessControllHandling to the ImportMode. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to