[
https://issues.apache.org/jira/browse/SLING-11233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Norman updated SLING-11233:
--------------------------------
Description:
The restriction details in the ACL json output can be ambiguous in some
situations.
For example, in the example below it is not clear if the "rep:glob" restriction
applies to the "jcr:read" privilege or the "rep:write" privilege.
{code:java}
{
"user1":{
"principal":"user1",
"granted":[
"jcr:read"
],
"denied":[
"rep:write"
],
"order":0,
"restrictions":{
"rep:glob":"glob1"
}
}
} {code}
Expected:
The JSON structure of the ACE should be enhanced to make it more clear.
For example, replace the "granted/denied/restrictions" items with a
"privileges" structure whose items are the granted or denied privileges. Each
privilege has a "deny" and/or "grant" child whose value is either true (no
restrictions) or an array of restrictions + values.
For example:
{code:java}
{
"user1":{
"principal":"user1",
"order":0,
"privileges":{
"jcr:read":{
"allow":{
"rep:glob":"glob1"
}
},
"jcr:readAccessControl":{
"allow":{
"rep:itemNames":[
"name1",
"name2"
]
}
},
"rep:write":{
"deny":true
}
}
}
} {code}
The new format should also be flexible enough to describe a privilege that is
granted and denied with different restrictions for each of those states. That
scenario is impossible to describe in the old format.
was:
The restriction details in the ACL json can be ambiguous in some situations.
For example, in the example below it is not clear if the "rep:glob" restriction
applies to the "jcr:read" privilege or the "rep:write" privilege.
{code:java}
{
"user1":{
"principal":"user1",
"granted":[
"jcr:read"
],
"denied":[
"rep:write"
],
"order":0,
"restrictions":{
"rep:glob":"glob1"
}
}
} {code}
Expected:
The JSON structure of the ACE should be enhanced to make it more clear.
For example, replace the "granted/denied/restrictions" items with a
"privileges" structure whose items are the granted or denied privileges. Each
privilege has a "deny" and/or "grant" child whose value is either true (no
restrictions) or an array of restrictions + values.
For example:
{code:java}
{
"user1":{
"principal":"user1",
"order":0,
"privileges":{
"jcr:read":{
"allow":{
"rep:glob":"glob1"
}
},
"jcr:readAccessControl":{
"allow":{
"rep:itemNames":[
"name1",
"name2"
]
}
},
"rep:write":{
"deny":true
}
}
}
} {code}
The new format should also be flexible enough to describe a privilege that is
granted and denied with different restrictions for each of those states. That
scenario is impossible to describe in the old format.
> Change ACL json output structure to be less ambiguous for restrictions
> ----------------------------------------------------------------------
>
> Key: SLING-11233
> URL: https://issues.apache.org/jira/browse/SLING-11233
> Project: Sling
> Issue Type: Improvement
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.0.12
>
>
> The restriction details in the ACL json output can be ambiguous in some
> situations.
> For example, in the example below it is not clear if the "rep:glob"
> restriction applies to the "jcr:read" privilege or the "rep:write" privilege.
>
> {code:java}
> {
> "user1":{
> "principal":"user1",
> "granted":[
> "jcr:read"
> ],
> "denied":[
> "rep:write"
> ],
> "order":0,
> "restrictions":{
> "rep:glob":"glob1"
> }
> }
> } {code}
>
>
> Expected:
> The JSON structure of the ACE should be enhanced to make it more clear.
> For example, replace the "granted/denied/restrictions" items with a
> "privileges" structure whose items are the granted or denied privileges.
> Each privilege has a "deny" and/or "grant" child whose value is either true
> (no restrictions) or an array of restrictions + values.
> For example:
>
> {code:java}
> {
> "user1":{
> "principal":"user1",
> "order":0,
> "privileges":{
> "jcr:read":{
> "allow":{
> "rep:glob":"glob1"
> }
> },
> "jcr:readAccessControl":{
> "allow":{
> "rep:itemNames":[
> "name1",
> "name2"
> ]
> }
> },
> "rep:write":{
> "deny":true
> }
> }
> }
> } {code}
> The new format should also be flexible enough to describe a privilege that is
> granted and denied with different restrictions for each of those states.
> That scenario is impossible to describe in the old format.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
