[GitHub] [jackrabbit-oak] anchela commented on a change in pull request #471: OAK-9675 allow authorizable properties defined by a mixin

Wed, 02 Feb 2022 06:46:35 -0800 


anchela commented on a change in pull request #471:
URL: https://github.com/apache/jackrabbit-oak/pull/471#discussion_r797679798



##########
File path: 
oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
##########
@@ -234,9 +236,34 @@ private PropertyState getAuthorizableProperty(@NotNull 
Tree authorizableTree, @N
         }
         ReadOnlyNodeTypeManager nodeTypeManager = 
authorizable.getUserManager().getNodeTypeManager();
         PropertyDefinition def = nodeTypeManager.getDefinition(parent, 
property, true);
-        if (def.isProtected() || (authorizablePath.equals(parent.getPath())
-                && 
!def.getDeclaringNodeType().isNodeType(UserConstants.NT_REP_AUTHORIZABLE))) {
+        if (def.isProtected()) {
+            // exclude all protected properties
             return null;
+        } else if (authorizablePath.equals(parent.getPath())) {
+            // non-protected properties on the root must be defined by the 
expected
+            //  primary type or one of the configured mixin types
+            Boolean allowed = null;
+            NodeType declaringNodeType = def.getDeclaringNodeType();
+            if 
(declaringNodeType.isNodeType(UserConstants.NT_REP_AUTHORIZABLE)) {
+                // defined by the expected primary type so allowed
+                allowed = Boolean.TRUE;

Review comment:
       @enapps-enorman , let me try to rephrase to make sure i get your use 
case right:
   - you want to make sure that a user can only modify and read the properties 
stored in in the subtree of it's home node
   - upon user/group creation you create a set of properties
   - but in addition you enforce particular types/values of those properties by 
adding mixins to the user/group node
   - however, properties defined by those mixins will not be returned by 
Authorizable.getProperty.
   
   so, your use-case is not about limiting the set of properties that can be 
written by adding mixins but rather making sure those defined by mixins are 
also returned as authorizable properties.
   is that correct?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to