[GitHub] [jackrabbit-oak] enapps-enorman commented on a change in pull request #471: OAK-9675 allow authorizable properties defined by a mixin

Thu, 10 Feb 2022 11:42:57 -0800 


enapps-enorman commented on a change in pull request #471:
URL: https://github.com/apache/jackrabbit-oak/pull/471#discussion_r804046483



##########
File path: 
oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizablePropertiesImpl.java
##########
@@ -234,9 +236,34 @@ private PropertyState getAuthorizableProperty(@NotNull 
Tree authorizableTree, @N
         }
         ReadOnlyNodeTypeManager nodeTypeManager = 
authorizable.getUserManager().getNodeTypeManager();
         PropertyDefinition def = nodeTypeManager.getDefinition(parent, 
property, true);
-        if (def.isProtected() || (authorizablePath.equals(parent.getPath())
-                && 
!def.getDeclaringNodeType().isNodeType(UserConstants.NT_REP_AUTHORIZABLE))) {
+        if (def.isProtected()) {
+            // exclude all protected properties
             return null;
+        } else if (authorizablePath.equals(parent.getPath())) {
+            // non-protected properties on the root must be defined by the 
expected
+            //  primary type or one of the configured mixin types
+            Boolean allowed = null;
+            NodeType declaringNodeType = def.getDeclaringNodeType();
+            if 
(declaringNodeType.isNodeType(UserConstants.NT_REP_AUTHORIZABLE)) {
+                // defined by the expected primary type so allowed
+                allowed = Boolean.TRUE;

Review comment:
       Yes, it is true that we don't want invalid values in the subtree either. 
 However, I believe that scenario could already be handled with the previously 
existing code via ACLs (by denying the rights to create children) and/or via 
pre-creating the possible subtree nodes with specific primary types that 
defines what properties are allowed.  Only the properties of the root home 
folder could not be handled that way which is why I proposed this enhancement.
   
   In fact the above is exactly what we are trying to do with a custom 
AuthorizableActionProvider component that pre-creates a "private" subfolder 
with a custom primary type (and an appropriate ACL) whenever a new user is 
created.
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to