[jira] [Commented] (SLING-9871) Allow for reordering aggregated repoinit fragments

Wed, 24 Mar 2021 09:13:57 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307973#comment-17307973
 ] 

Angela Schreiber commented on SLING-9871:
-----------------------------------------

[~bdelacretaz], [~rombert], [~enorman], [~ashishc], if i may add a comment from 
the security pov: the reason why this feature request exists in the first 
place, is the usage of 'DENY' access control entries.... because otherwise the 
order wouldn't matter at all. having said that: usage of DENY entries in IMHO 
usually a sign of bad content model or a bug in the application (like the one 
in Sling that forced the introduction of deny-entries in Adobe AEM in the first 
place)... but adding additonal DENYs should only rarely be required and as I 
said usually highlight issues in the content modelling. I am really not 
entirely convinced this is worth the effort.

> Allow for reordering aggregated repoinit fragments
> --------------------------------------------------
>
>                 Key: SLING-9871
>                 URL: https://issues.apache.org/jira/browse/SLING-9871
>             Project: Sling
>          Issue Type: Improvement
>          Components: Repoinit
>            Reporter: Ashish Chopra
>            Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to 
> this JIRA) collects {{create path}} statements and {{set ACL}} statements 
> declared in all the feature-models applicable to feature-aggregate under 
> consideration.
> Upon repository initialization, it applies all the {{create path}} 
> statements, followed by all the {{set ACL}} statements. However, the order in 
> which {{set ACL}} statements declared across feature models are applied isn't 
> defined (currently, it seems to be based on feature-model-name, 
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be 
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE, 
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to