Angela Schreiber created SLING-11160:
----------------------------------------
Summary: Repoinit does not allow to remove individual ACEs
Key: SLING-11160
URL: https://issues.apache.org/jira/browse/SLING-11160
Project: Sling
Issue Type: Bug
Components: Repoinit
Reporter: Angela Schreiber
With SLING-9090 support for using _REMOVE *_ for all entries at a given path or
for a given principal has been implemented.
However as indicated in the same issue the intended usage of _REMOVE
some-thing-specific_ is not clear.
What is therefore missing repo-init is the ability to remove a single access
control entry that matches
- prinicipal
- privileges
- allow-status
- single value restriction
- mv restrictions.
As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY are
mutually exclusive as the other params listed above can be extracted from a
given AclLine in combination with the set-ACL statement.
This could be fixed by adjusting the following parser method
{code}
AclLine privilegesLineOperation() :
{}
{
(
<REMOVE> { return new AclLine(AclLine.Action.REMOVE); }
| ( <ALLOW> { return new AclLine(AclLine.Action.ALLOW); } )
| ( <DENY> { return new AclLine(AclLine.Action.DENY); } )
)
}
{code}
such that
- REMOVE is optional, followed by
- ALLOW or DENY
The {{AclLine}} would then need to be slightly adjusted such that REMOVE can
be combined with either ALLOW or DENY.
Otherwise, I don't see how
{{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be
implemented in org.apache.sling.jcr.repoinit for a single ACE.
Or maybe the intention was something different in the first place?
[~bdelacretaz], I would appreciate if you had time to comment on this.
cc: [~kpauls], [~cziegeler]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
