Hi again,
thanks for your advice, Ian.
I'm still struggling with this...
I went with the SlingPostProcessor and carried together the following
lines of code to set ACL to allow the CREATOR ONLY. In my
understanding, all privileges will be overwritten, when a new one is set
(or does this only apply to the permission-manager-bundle?).
AccessControlManager accessController =
AccessControlUtil.getAccessControlManager(session);
AccessControlPolicyIterator applicablePolicies =
accessController.getApplicablePolicies(currentNode.getPath());
AccessControlList acl =
(AccessControlList)applicablePolicies.nextAccessControlPolicy();
Privilege[] supportedPrivileges =
accessController.getSupportedPrivileges(currentNode.getPath());
Principal userPrincipal =
AccessControlUtil.getPrincipalManager(session).getPrincipal(
session.getUserID());
AccessControlUtil.addEntry(acl, userPrincipal, supportedPrivileges,
true);
but, when I view it with sling/servlet/default/mynode.acl.html (where I
changed
privilegesInfo.getDeclaredAccessRights(currentNode)
to
privilegesInfo.getEffectiveAccessRights(currentNode)
there is no change. Still "everyone" and "administrators" are listed.
Actually, I can't even achieve the desired behavior by setting a
permission manually in the browser via "mynode.acl.html". myuser is
listed, as expected, "everyone" and "administrators" are not (as
expected), but still, anonymous can access mynode.
And even more strange to me: When I set "anonymous" (in
"mynode.acl.html") to "DENY ALL", still then, I can access it with
anonymous (not logged in) user.
What am I misunderstanding?
thanks in advance again,
thorsten
Ian Boston wrote:
There are several options.
1. As you have mentioned, implement a PluggagleDefaultAccessManager or
AccessManagerPluginFactory, the doing either of these is likely to
result in either a lot of work or loosing Jackrabbits excelent
DefaultAccessManager implementation.
2. Adding a Sling Post Process or to add an ACL for the node on creation
allowing the user who created the node permissions is probably the
simplest and most direct. This has one caveat, that all node creation
happens through Sling and there are no custom servlets that create nodes
without putting the correct ACL's on
3. Patching the DefaultAccessManager to have dynamic principals driven
by node properties. This is the route I have taken, but my use case is
much wider than owner write. The big negative of this approach is I need
a custom Sling jcr server bundle which is a real pain to maintain.
