[
https://issues.apache.org/jira/browse/SLING-5768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367896#comment-15367896
]
Georg Henzler commented on SLING-5768:
--------------------------------------
bq. I am not so fond of the naming sling:resourceTypesWithChildren
I don't think the name is perfect either, I could just not think of a better
name. You suggested {{sling:resourceTypesInAncestry}} as some point (this would
actually be more in line with the algorithm that traverses the parents), but
when writing the rule, I think it feels more natural to think about a node with
a resource type and match all the children along with it. [~rombert] as a third
opinion, what do you think?
bq. I am not sure whether this would rather be a good proposal for Oak as a
general property matcher restriction.
I think at some point oak should also introduce more flexible "matcher
restrictions", but the sling one will always make sense as it is more concise
and easier to write.
bq. Also when we talk about resourceTypes in Sling ... or from the *node type*
This is a bit of an academic discussion - the restriction could be extended to
support the node type fallback, but on the other hand it's not that useful
(because most sling applications don't work with a wide range of node types)
and also, standard oak rep:ntNames does exactly this.
Regarding the documentation: Where exactly is the source of pages like
https://sling.apache.org/documentation/bundles/sling-health-check-tool.html? I
suggest adding a new page for the sling restrictions (as it is its own module).
> Introduce sling:resourceTypes as extension to Oak permission system
> -------------------------------------------------------------------
>
> Key: SLING-5768
> URL: https://issues.apache.org/jira/browse/SLING-5768
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Georg Henzler
> Assignee: Robert Munteanu
> Fix For: Oak Restrictions 1.0.0
>
>
> Oak allows to extend its permissions management by using custom restrictions
> \[1], also the standard oak restrictions are based on this and are
> implemented in a fairly straight-forward way \[2] (example is for
> rep:ntNames).
> It would be nice to have sling level restrictions using sling properties in
> general. This issue is about introducing a restriction on resource types -
> the following should be possible:
> {code}
> - /content/mynode
> - rep:policy (rep:ACL)
> - allow (rep:GrantACE)
> + principalName (String) = "myAuthorizable"
> + rep:privileges (Name[]) = "rep:write"
> - rep:restrictions (rep:Restrictions)
> + sling:resourceTypes (String[]) =
> [myproj/resourcetype1,myproj/resourcetype2]
> {code}
> The example would only grant "rep:write" for the resource types
> myproj/resourcetype1 and myproj/resourcetype2 in path /content/mynode, other
> resources under path /content/mynode would not have "rep:write" permissions.
> Additionally to strict resource type matching it shall be possible to
> automatically match a resource with a given resource type including all
> children. Also, not all content nodes have a resource type, therefore it
> should be possible to match against a child node by appending \@path to the
> resource type:
> {code}
> - /content/myprj
> - rep:policy (rep:ACL)
> - allow (rep:GrantACE)
> + principalName (String) = "myAuthorizable"
> + rep:privileges (Name[]) = "rep:write"
> - rep:restrictions (rep:Restrictions)
> + sling:resourceTypesWithChildren (String[]) =
> [myproj/resourcetype1@jcr:content]
> {code}
> To achieve this any path match attempt traverses the parents and checks for a
> match (but only up to the base path, /content/myprj in this example). For AEM
> use cases, this can match a whole page structure (e.g. something like
> /content/myprj/path/to/newsoverview, the whole news section can be easily
> matched by having a distinct news overview template).
> \[1]
> https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Pluggability
> \[2]
> https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L50)
> https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
