[jira] [Comment Edited] (SLING-3224) GetAclTest integration test fails due to incorrect privilege expansion in AbstractGetAclServlet

Robert Munteanu (JIRA) Thu, 24 Aug 2017 06:46:28 -0700

    [ 
https://issues.apache.org/jira/browse/SLING-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139887#comment-16139887
 ]


Robert Munteanu edited comment on SLING-3224 at 8/24/17 1:45 PM:
-----------------------------------------------------------------

Stepping through the code I can see that Oak returns the privileges correctly. 
However, in {{AbstractGetAclServlet.internalGetAcl}} , the 
{{mergePrivilegeSet}} invocation does not work properly. The call that fails is 
at line 181:

{code:java}
                        mergePrivilegeSets(privilege,
                                        privilegeToAncestorMap,
                                                        deniedSet, grantedSet);
{code}

where privilege is {{jcr:write}}, deniedSet is empty and grantedSet is 
{{jcr:all}}.

The logic is quite involved but I guess expansion of aggregate privileges is 
broken here.

_Edit_: typo


was (Author: rombert):
Stepping through the code I can see that Oak returns the privileges correctly. 
However, in {{AbstractGetAclServlet.internalGetAcl}} , the 
{{mergePrivilegeSet}} invocation does not work properly. The call that fails is 
at line 181:

{code:java}
                        mergePrivilegeSets(privilege,
                                        privilegeToAncestorMap,
                                                        deniedSet, grantedSet);
{code}

where privilege is {{jcr:write}, deniedSet is empty and grantedSet is 
{{jcr:all}}.

The logic is quite involved but I guess expansion of aggregate privileges is 
broken here.

> GetAclTest integration test fails due to incorrect privilege expansion in 
> AbstractGetAclServlet
> -----------------------------------------------------------------------------------------------
>
>                 Key: SLING-3224
>                 URL: https://issues.apache.org/jira/browse/SLING-3224
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Bertrand Delacretaz
>            Assignee: Robert Munteanu
>              Labels: sling-IT
>             Fix For: JCR Jackrabbit Access Manager 3.0.2
>
>
> Failed tests:   testEffectiveAclMergeForUser_SubsetOfPrivilegesDeniedOnChild:
> Expected privilege jcr:modifyProperties to be NOT INCLUDED in supplied list: 
> [rep:userManagement, jcr:nodeTypeManagement, jcr:modifyProperties, 
> jcr:namespaceManagement, rep:privilegeManagement, jcr:workspaceManagement, 
> rep:readProperties, rep:alterProperties, jcr:nodeTypeDefinitionManagement, 
> jcr:lockManagement, jcr:read, jcr:lifecycleManagement, jcr:removeNode, 
> jcr:modifyAccessControl, jcr:removeChildNodes, jcr:versionManagement, 
> rep:addProperties, rep:removeProperties, rep:readNodes, 
> jcr:readAccessControl, jcr:addChildNodes, jcr:retentionManagement])



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Comment Edited] (SLING-3224) GetAclTest integration test fails due to incorrect privilege expansion in AbstractGetAclServlet

Reply via email to