[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771234#comment-17771234 ]
Mark Adamcin commented on JCRVLT-721: ------------------------------------- [~kwin] Instead of relying on the usersPath and groupsPath and the associated ambiguity to decide whether to short-circuit, I think we can probably just check the node type here: [https://github.com/apache/jackrabbit-filevault/blob/f8f86c7fbd392deddf561f64c2e93126d50aa5dd/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L215] This condition should be sufficient to determine whether Authorizables are allowed at or below the path of the provided node: {code:java} node.isNodeType("rep:AuthorizableFolder") || isAuthorizableNodeType(node.getPrimaryNodeType().getName()) {code} > Importing content packages with minimum permissions fails > ---------------------------------------------------------- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging > Affects Versions: 3.7.0 > Reporter: Ankita Agarwal > Priority: Major > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > ---- > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > ---- > *Expected Behavior:* Successful content package imports > ---- > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)