[jira] [Commented] (SLING-9953) ACEs on/below user nodes are ignored upon conversion

Tue, 01 Dec 2020 04:46:07 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-9953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241493#comment-17241493
 ] 

Dominik Süß commented on SLING-9953:
------------------------------------

[~angela] - IIRC the background of SLING-8561 was about legacy users from old 
AEM versions predating system users which due to the way these users were 
created in the past contained acls for the access on the service user itself 
(esp to be able to modify profile, manipulate password or set impersonators).
I am not sure how ommitting dedicated creation of those ACLs would cause a 
broken login feature as those ACLs are not set for other service users - this 
code does not remove ACLs that are generated by the service user creation it 
just ommits explicit acl creation found on the service users node.

> ACEs on/below user nodes are ignored upon conversion
> ----------------------------------------------------
>
>                 Key: SLING-9953
>                 URL: https://issues.apache.org/jira/browse/SLING-9953
>             Project: Sling
>          Issue Type: Bug
>          Components: Content-Package to Feature Model Converter
>            Reporter: Angela Schreiber
>            Priority: Critical
>
> I had a look at the cp-feature-model-converter in the light of SLING-9692 and 
> found a surprising comment pointing to SLING-8561:
> {code}
> // clean the unneeded ACLs, see SLING-8561
> {code}
> code here:
> https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L146-L153
> what it does in fact is omit any kind of permission setup that is defined for 
> the service users home node. that's quite a serious bug IMHO.... and on top 
> of that unnecessary because Sling repo-init allows to define those kind of 
> ACEs using the home(userid) notation (see 
> https://sling.apache.org/documentation/bundles/repository-initialization.html)
> and btw: what does _unneeded ACLs_ mean? they are for sure not 'unneeded' and 
> omitting them will essentially result in an invalid permission setup (and 
> thus break the feature using the service login).
> cc: [~cziegeler], [~karlpauls], [~dsuess]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to