[
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307983#comment-17307983
]
Ashish Chopra commented on SLING-9871:
--------------------------------------
Thanks for sharing your insights [~angela]!
bq. the reason why this feature request exists in the first place, is the usage
of 'DENY' access control entries.... because otherwise the order wouldn't
matter at all.
I can confirm that I encountered this while dealing with _deny_ entries, if not
adding them myself. In fact, the issue I ran into was _other principals_
required to read a certain content tree, and their ACEs weren't effective
because of a {{deny}} for {{everyone}} appearing much later than those other
principals in question.
bq. usage of DENY entries in IMHO usually a sign of bad content model or a bug
in the application... adding additonal DENYs should only rarely be required and
as I said usually highlight issues in the content modeling.
This is useful perspective, and I'll definitely keep this in mind going forward
while modeling content.
I still think the request here might be useful because it is not easy
(impossible?) to start from scratch when it comes to modeling content and
existing content and access control setup might tie the hands of the developer
:/
bq. I am really not entirely convinced this is worth the effort.
unfortunately, I'm not qualified enough to comment on it. As expressed above, I
think the capability will come in handy, however if the owners+maintainers of
Sling repoinit show alignment with the line-of-thought you've expressed then we
should just document the current situation (i.e., _"here's the order in which
ACLs are applied when a feature-aggregate has {{set ACL}} sections for a given
path present in multiple feature-files"_) and close this issue.
> Allow for reordering aggregated repoinit fragments
> --------------------------------------------------
>
> Key: SLING-9871
> URL: https://issues.apache.org/jira/browse/SLING-9871
> Project: Sling
> Issue Type: Improvement
> Components: Repoinit
> Reporter: Ashish Chopra
> Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to
> this JIRA) collects {{create path}} statements and {{set ACL}} statements
> declared in all the feature-models applicable to feature-aggregate under
> consideration.
> Upon repository initialization, it applies all the {{create path}}
> statements, followed by all the {{set ACL}} statements. However, the order in
> which {{set ACL}} statements declared across feature models are applied isn't
> defined (currently, it seems to be based on feature-model-name,
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE,
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
