On 28 Oct 2009, at 14:12, thorsten zerha wrote:
Hi again,
thanks for your advice, Ian.
I'm still struggling with this...
I went with the SlingPostProcessor and carried together the
following lines of code to set ACL to allow the CREATOR ONLY. In my
understanding, all privileges will be overwritten, when a new one is
set (or does this only apply to the permission-manager-bundle?).
I think, you need to get the acl for the principal, edit that
principal and set it. A quick scan of your code looks like its setting
all supported privileges?
If others dont follow this route, then yes they will overwrite.
(addEntry might be a bit misslieading, since it implies add an entry
to the acl for the principal, were it might really be add an entire
principal acl overwriting the others, perhapse put or set would have
been better)
AccessControlManager accessController =
AccessControlUtil.getAccessControlManager(session);
AccessControlPolicyIterator applicablePolicies =
accessController.getApplicablePolicies(currentNode.getPath());
AccessControlList acl =
(AccessControlList)applicablePolicies.nextAccessControlPolicy();
Privilege[] supportedPrivileges =
accessController.getSupportedPrivileges(currentNode.getPath());
Principal userPrincipal =
AccessControlUtil.getPrincipalManager(session).getPrincipal(
session.getUserID());
AccessControlUtil.addEntry(acl, userPrincipal, supportedPrivileges,
true);
but, when I view it with sling/servlet/default/mynode.acl.html
(where I changed
privilegesInfo.getDeclaredAccessRights(currentNode)
to
privilegesInfo.getEffectiveAccessRights(currentNode)
there is no change. Still "everyone" and "administrators" are listed.
Effective looks at parent nodes.
Actually, I can't even achieve the desired behavior by setting a
permission manually in the browser via "mynode.acl.html". myuser is
listed, as expected, "everyone" and "administrators" are not (as
expected), but still, anonymous can access mynode.
And even more strange to me: When I set "anonymous" (in
"mynode.acl.html") to "DENY ALL", still then, I can access it with
anonymous (not logged in) user.
What am I misunderstanding?
IIRC, the *standard* DefaultAccessManager in Jackrabbit has a policy
that says groups once granted, cant be denied.
So if you grant read to everyone at the root of a JCR tree. Then its
not possible to deny read to everyone further down the tree.
Now, I may have got that wrong, but I remember asking a similar
question on over at [email protected]. The
DefaultAccessManager is part of the Jackrabbit code base and so thats
where discussion on this will be most effective, although there are
Jackrabbit users and developers here.
Ian
thanks in advance again,
thorsten
Ian Boston wrote:
There are several options.
1. As you have mentioned, implement a PluggagleDefaultAccessManager
or AccessManagerPluginFactory, the doing either of these is likely
to result in either a lot of work or loosing Jackrabbits excelent
DefaultAccessManager implementation.
2. Adding a Sling Post Process or to add an ACL for the node on
creation allowing the user who created the node permissions is
probably the simplest and most direct. This has one caveat, that
all node creation happens through Sling and there are no custom
servlets that create nodes without putting the correct ACL's on
3. Patching the DefaultAccessManager to have dynamic principals
driven by node properties. This is the route I have taken, but my
use case is much wider than owner write. The big negative of this
approach is I need a custom Sling jcr server bundle which is a real
pain to maintain.
