[
https://issues.apache.org/jira/browse/SLING-5768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367607#comment-15367607
]
Konrad Windszus edited comment on SLING-5768 at 7/8/16 12:37 PM:
-----------------------------------------------------------------
I am not so fond of the naming {{sling:resourceTypesWithChildren}} because it
is not obvious what is meant by this.
Also with the above description I have some troubles understanding what the
restriction {{sling:resourceTypes}} actually means.
I think we need a documentation which explains that the according ACE is only
considered in case the affected node already contains a node
"sling:resourceType" with one of the given values.
I am not sure whether this would rather be a good proposal for Oak as a general
property matcher restriction. Whether it is a property of name
"sling:resourceType" or of any other name, would then be up to the one creating
the ACE.
Also when we talk about resourceTypes in Sling, those could come (in the case
of JCR) either from a property called {{sling:resourceType}} or from the node
type
(https://sling.apache.org/documentation/the-sling-engine/resources.html#resource-types).
was (Author: kwin):
I am not so fond of the naming {{sling:resourceTypesWithChildren}} because it
is not obvious what is meant by this.
Also with the above description I have some troubles understanding what the
restriction {{sling:resourceTypes}} actually means.
I think we need a documentation which explains that the according ACE is only
considered in case the affected node already contains a node
"sling:resourceType" with one of the given values.
I am not sure whether this would rather be a good proposal for Oak as a general
property matcher restriction. Whether it is a property of name
"sling:resourceType" or of any other name, would then be up to the one creating
the ACE.
> Introduce sling:resourceTypes as extension to Oak permission system
> -------------------------------------------------------------------
>
> Key: SLING-5768
> URL: https://issues.apache.org/jira/browse/SLING-5768
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Georg Henzler
> Assignee: Robert Munteanu
> Fix For: Oak Restrictions 1.0.0
>
>
> Oak allows to extend its permissions management by using custom restrictions
> \[1], also the standard oak restrictions are based on this and are
> implemented in a fairly straight-forward way \[2] (example is for
> rep:ntNames).
> It would be nice to have sling level restrictions using sling properties in
> general. This issue is about introducing a restriction on resource types -
> the following should be possible:
> {code}
> - /content/mynode
> - rep:policy (rep:ACL)
> - allow (rep:GrantACE)
> + principalName (String) = "myAuthorizable"
> + rep:privileges (Name[]) = "rep:write"
> - rep:restrictions (rep:Restrictions)
> + sling:resourceTypes (String[]) =
> [myproj/resourcetype1,myproj/resourcetype2]
> {code}
> The example would only grant "rep:write" for the resource types
> myproj/resourcetype1 and myproj/resourcetype2 in path /content/mynode, other
> resources under path /content/mynode would not have "rep:write" permissions.
> Additionally to strict resource type matching it shall be possible to
> automatically match a resource with a given resource type including all
> children. Also, not all content nodes have a resource type, therefore it
> should be possible to match against a child node by appending \@path to the
> resource type:
> {code}
> - /content/myprj
> - rep:policy (rep:ACL)
> - allow (rep:GrantACE)
> + principalName (String) = "myAuthorizable"
> + rep:privileges (Name[]) = "rep:write"
> - rep:restrictions (rep:Restrictions)
> + sling:resourceTypesWithChildren (String[]) =
> [myproj/resourcetype1@jcr:content]
> {code}
> To achieve this any path match attempt traverses the parents and checks for a
> match (but only up to the base path, /content/myprj in this example). For AEM
> use cases, this can match a whole page structure (e.g. something like
> /content/myprj/path/to/newsoverview, the whole news section can be easily
> matched by having a distinct news overview template).
> \[1]
> https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Pluggability
> \[2]
> https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L50)
> https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
