[
https://issues.apache.org/jira/browse/SLING-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler closed SLING-3010.
-----------------------------------
> Managing Permissions using Sling with Aggregate Privileges
> ----------------------------------------------------------
>
> Key: SLING-3010
> URL: https://issues.apache.org/jira/browse/SLING-3010
> Project: Sling
> Issue Type: Bug
> Components: API
> Affects Versions: JCR Base 2.1.2
> Reporter: Anjan
> Assignee: Eric Norman
> Priority: Minor
> Labels: aggregate, permissions, privileges
> Fix For: JCR Base 2.2.0
>
>
> I am using Sling's REST interface to modify the permissions on a Node. I
> noticed an issue.
> The issue I am facing can be best explained by showing the curl commands I
> executed and the output I received:
> (1) Here is the initial set of privileges present on the node:
> $ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json
> {"test":{"principal":"test","denied":["jcr:versionManagement","jcr:read","jcr:modifyAccessControl","rep:write"],"order":0},"everyone":{"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1},"administrators":{"principal":"administrators","granted":["jcr:all"],"order":2}}
> (2) Run the below command to grant all the privileges for "test" principal
> $ curl -u admin:admin -FprincipalId=test
> -Fprivilege@jcr:versionManagement=granted -Fprivilege@jcr:read=granted
> -Fprivilege@jcr:modifyAccessControl=granted
> -Fprivilege@jcr:nodeTypeManagement=granted -Fprivilege@jcr:write=granted
> http://localhost:8080/content/pertest.modifyAce.json
> (3) As you can see from the below output, "jcr:write" is still present under
> "denied" privileges for "test" even though I granted all the privileges in
> the previous command
> $ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json
> {"test":{"principal":"test","granted":["jcr:nodeTypeManagement","jcr:versionManagement","jcr:read","jcr:modifyAccessControl"],"denied":["jcr:write"],"order":0},"everyone":{"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1},"administrators":{"principal":"administrators","granted":["jcr:all"],"order":2}}
> Initially I thought it's a bug in Jackrabbit, but after getting the
> clarification from Jackrabbit forum, I think it might need to be corrected in
> Sling.
> Here is the link to the question I raised in Jackrabbit forum:
> http://jackrabbit.510166.n4.nabble.com/Bug-or-intended-behavior-getAggregatePrivileges-td4659272.html
> Potential fix:
> In the class org.apache.sling.jcr.base.util.AccessControlUtil.java, there is
> a private method with the below signature:
> private static Set<String> disaggregateToPrivilegeNames(Privilege privilege)
> {}
> Inside this method, there is a "for" loop
> for (Privilege disaggregate : privileges) {
> disaggregatedPrivilegeNames.add(disaggregate.getName());
> }
> If I modify the above snippet with the below code snippet, then the issue
> seems to be resolved.
> for (Privilege disaggregate : privileges) {
> if(!disaggregate.isAggregate())
> disaggregatedPrivilegeNames.add(disaggregate.getName());
> }
> Based on my initial testing the change seems to be working fine.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
