[
https://issues.apache.org/jira/browse/SLING-11160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499623#comment-17499623
]
Angela Schreiber commented on SLING-11160:
------------------------------------------
[~dklco], uhhhhhhh...... not sure i can follow you with that one. what is 'add
ACL'? that doesn't exist..... and introducing 'grant' when up to now it's
called allow? and what exactly is granted? this is getting even more
complicated. the goal of the 'remove ACL' was _NOT_ to remove the policy (for
that we have 'delete ACL' already)..... it was simply to remove individual
entries that match. and if there is no matching entry -> ignore.
but i am with you that 'remove ACL', when in fact the desired action is 'remove
ACEs' is confusing.
what about the following new statement:
{code}
remove ace for alice
<here the regular 'aclLine's that were used to set entries with paths,
allow/deny, privs, restrictions.....>
end
remove principal ace for alice
<here the regular 'aclLine's that were used to set entries with paths,
allow/deny, privs, restrictions.....>
end
remove ace on /content
<here the regular 'aclLine's that were used to set entries with principals,
allow/deny, privs, restrictions.....>
end
{code}
- no need to learn too much new stuff.... the entry definitions stay the same
- the existing variants of 'set acl' to add entries would be left untouched
- the existing variants of 'delete acl' to remove the policies altogether would
be left untouched
> Repoinit does not allow to remove individual ACEs
> -------------------------------------------------
>
> Key: SLING-11160
> URL: https://issues.apache.org/jira/browse/SLING-11160
> Project: Sling
> Issue Type: Bug
> Components: Repoinit
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Major
> Attachments: SLING-11160-initial-draft.patch
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> With SLING-9090 support for using _REMOVE *_ for all entries at a given path
> or for a given principal has been implemented.
> However as indicated in the same issue the intended usage of _REMOVE
> some-thing-specific_ is not clear.
> What is therefore missing with repo-init is the ability to remove a single
> access control entry that matches
> - prinicipal
> - privileges
> - allow-status
> - single value restriction
> - mv restrictions.
> As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY
> are mutually exclusive as the other params listed above can be extracted from
> a given AclLine in combination with the set-ACL statement.
> This could be fixed by adjusting the following parser method
> {code}
> AclLine privilegesLineOperation() :
> {}
> {
> (
> <REMOVE> { return new AclLine(AclLine.Action.REMOVE); }
> | ( <ALLOW> { return new AclLine(AclLine.Action.ALLOW); } )
> | ( <DENY> { return new AclLine(AclLine.Action.DENY); } )
> )
> }
> {code}
> such that
> - REMOVE is optional, followed by
> - ALLOW or DENY
> The {{AclLine}} would then need to be slightly adjusted such that REMOVE can
> be combined with either ALLOW or DENY.
> Otherwise, I don't see how
> {{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be
> implemented in org.apache.sling.jcr.repoinit for a single ACE.
> Or maybe the intention was something different in the first place?
> [~bdelacretaz], I would appreciate if you had time to comment on this.
> cc: [~kpauls], [~cziegeler]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
