[jira] [Commented] (JCRVLT-61) Allow AccessControllHandling be defined per filter root

Thu, 12 Nov 2015 17:27:53 -0800 

    [ 
https://issues.apache.org/jira/browse/JCRVLT-61?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15003355#comment-15003355
 ] 

Robert Munteanu commented on JCRVLT-61:
---------------------------------------

As far as declarative syntax goes, I prefer what puppet does with ensure. 
Instead of telling vlt what to do, we tell it the expected state. For instance, 
in your example of

{noformat}
# ensure that user1 has only read access. remove existing ACL
begin ACL on /content/update
  remove jcr:all for user1
  add allow jcr:read for user1
end
{noformat}

What happens if user1 already has {{jcr:read}} and {{rep:write}} on 
/content/update? Asking to remove {{jcr:all}} may be interpreted as either

- remove {{jcr:all}}, if present
- remove any privilege, if present

One possibility to clarify is to use '*' instead of {{jcr:all}

{noformat}
# ensure that user1 has only read access. remove existing ACL
begin ACL on /content/update
  remove * for user1
  add allow jcr:read for user1
end
{noformat}

Another is to use an ensure-style syntax

{noformat}
# ensure that user1 has only read access. remove existing ACL
begin ACL on /content/update
  ensure user1 has only jcr:read
end
{noformat}

With the variations

* {{ensure has}} - equivalent to add
* {{ensure does not have}} - equivalent to remove

Of course, we can have a less verbose syntax, just trying to make a point about 
the language being more declarative

> Allow AccessControllHandling be defined per filter root
> -------------------------------------------------------
>
>                 Key: JCRVLT-61
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-61
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: Packaging
>            Reporter: Tobias Bocanegra
>
> the current packaging only allows to specify the AccessControllHandling per 
> package. if one requires different behaviors for different content trees, the 
> only workaround today is to create sub-packages.
> it would be nice if the ac-control handling can be defined by workspace 
> filter root, similar to the iImportMode - or even tie the 
> AccessControllHandling to the ImportMode. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to