enapps-enorman opened a new pull request, #15:
URL:
https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-accessmanager/pull/15
Modifying an ACE should not include a allow/deny aggregate privilege when
there is a deny/allow child privilege with the same restrictions as the parent
For example, consider this use case with a modifyAce request with fields
like this on a parent node:
```
//allow the child privileges with varying restrictions
privilege@rep:readNodes=allow
privilege@rep:readProperties=allow
restriction@rep:readProperties@rep:itemNames@Allow=jcr:created
//and deny a child privilege with the same restrictions as the aggregate
would get
privilege@rep:readProperties=deny
```
The expected ace of the child node should not have the jcr:read privilege
set as allowed:
```
{
"principal":"testuser1",
"privileges":{
"rep:readProperties":{
"allow":{
"rep:itemNames":[
"jcr:created"
]
},
"deny":true
},
"rep:readNodes":{
"allow":true
}
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
