[
https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771234#comment-17771234
]
Mark Adamcin commented on JCRVLT-721:
-------------------------------------
[~kwin] Instead of relying on the usersPath and groupsPath and the associated
ambiguity to decide whether to short-circuit, I think we can probably just
check the node type here:
[https://github.com/apache/jackrabbit-filevault/blob/f8f86c7fbd392deddf561f64c2e93126d50aa5dd/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L215]
This condition should be sufficient to determine whether Authorizables are
allowed at or below the path of the provided node:
{code:java}
node.isNodeType("rep:AuthorizableFolder") ||
isAuthorizableNodeType(node.getPrimaryNodeType().getName()) {code}
> Importing content packages with minimum permissions fails
> ----------------------------------------------------------
>
> Key: JCRVLT-721
> URL: https://issues.apache.org/jira/browse/JCRVLT-721
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Components: Packaging
> Affects Versions: 3.7.0
> Reporter: Ankita Agarwal
> Priority: Major
>
> Importing Content Packages using a dedicated user (with minimum permissions)
> has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
> This is a regression of issue JCRVLT-683 specifically to logic that has been
> added to determine the root paths of groups and users in
> JackrabbitACLManagement#determineAuthorizableRootPaths
> ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
> The new logic creates a group and a user in order to determine the root paths
> of groups and users and immediately deletes them afterward.
> This is a bad solution as it breaks the Principle of Least Permission (PoLP):
> The user that is being used to import content should not have permission to
> create and delete users and groups.
> The root paths of users and groups are always initialized as /home/users and
> /home/groups, so there is little need to determine root paths by creating and
> deleting groups and users.
> ----
> *Steps to reproduce:*
> * You create a user that you use to import content. You give it all
> permissions on /content
> * When you import a content package that replaces existing content (= when
> you import the same content package twice, and it has "replace" in its filter
> definition), you will see that it fails with the error that it cannot access
> the /home/groups or /home/users repository path
> ----
> *Expected Behavior:* Successful content package imports
> ----
> *Experienced Behavior:* Content package imports that succeeded before now
> fail with AccessDeniedExceptions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
