enapps-enorman opened a new pull request, #16:
URL:
https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-accessmanager/pull/16
If any leaf privilege has different restrictions than a contained aggregate
parent privilege, then the parent should not be set and the non-conflicting
ancestors should be set instead to avoid an ambiguous definition.
For example, consider rep:write being allowed and then the leaf
rep:removeProperties is also allowed but with restrictions with something like
this:
```
curl -FprincipalId=slingshot1 \
-Fprivilege@rep:write=allow \
-Fprivilege@rep:removeProperties=allow \
-Frestriction@rep:removeProperties@rep:glob@Allow=/hello \
http://admin:admin@localhost:8080/starter.modifyAce.html
```
Expected that rep:write would not be marked as allowed, but the
non-conflicting items in the rep:write aggregate privilege would be allowed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
