[GitHub] [jackrabbit-oak] enapps-enorman commented on a change in pull request #471: OAK-9675 allow authorizable properties defined by a mixin

[GitBox]

enapps-enorman commented on a change in pull request #471:
URL: https://github.com/apache/jackrabbit-oak/pull/471#discussion_r794754078



##########
File path: 
oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
##########
@@ -234,9 +236,34 @@ private PropertyState getAuthorizableProperty(@NotNull 
Tree authorizableTree, @N
         }
         ReadOnlyNodeTypeManager nodeTypeManager = 
authorizable.getUserManager().getNodeTypeManager();
         PropertyDefinition def = nodeTypeManager.getDefinition(parent, 
property, true);
-        if (def.isProtected() || (authorizablePath.equals(parent.getPath())
-                && 
!def.getDeclaringNodeType().isNodeType(UserConstants.NT_REP_AUTHORIZABLE))) {
+        if (def.isProtected()) {
+            // exclude all protected properties
             return null;
+        } else if (authorizablePath.equals(parent.getPath())) {
+            // non-protected properties on the root must be defined by the 
expected
+            //  primary type or one of the configured mixin types
+            Boolean allowed = null;
+            NodeType declaringNodeType = def.getDeclaringNodeType();
+            if 
(declaringNodeType.isNodeType(UserConstants.NT_REP_AUTHORIZABLE)) {
+                // defined by the expected primary type so allowed
+                allowed = Boolean.TRUE;

Review comment:
       Yes, perhaps I didn't explain that well enough.  This proposal is mostly 
about reading authorizable properties.  I was able to deal with the setting of 
those authorizable properties using ACLs and already existing (and custom) code.
   
   Basically my intention is to utilize ACLs to limit the setting of 
properties.  Essentially, I have re-configured the 
DefaultAuthorizableActionProvider (as below) so each user is only allowed 
"rep:alterProperties" rights on their home folder.  So they would only be able 
to update properties that already exist.  Then I have a custom 
AuthorizableActionProvider component that applies additional actions that will 
add the appropriate mixin type to the home folders and populates initial values 
for the properties that the end user should have access to alter.
   
   For example, via OSGi configuration like this:
   `        
"org.apache.jackrabbit.oak.spi.security.user.action.DefaultAuthorizableActionProvider":{
               "userPrivilegeNames":[
                   "jcr:read", 
                   "rep:alterProperties"
               ],
               "groupPrivilegeNames":[
                   "jcr:read"
               ],
               "enabledActions":[
                   
"org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction"
               ]
           }
   `
   
   Do you see any flaw with that approach?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@jackrabbit.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org