Hi I get the impression that you assume an “allow” has precedence over “deny”. I am pretty sure that “user” permissions have precedence over “group” permissions, but otherwise the order of the ACL is relevant (last wins). Try reordering your ACL and see if that helps.
Regards Julian On Fri, 24 Apr 2020 at 07:52, Andreas Schaefer <[email protected]> wrote: > Hi > > I might doing something wrong but I am running into issues with Sling > resource permissions. This is my setup: > > - User: perm_17_user > - Group: perm_17_group > - Group: tenant_all > - User is part of both groups > - Everyone has read access to / > - Resource: /content/perm_17 > - perm_17_group has jar:all granted > - tenant_all has jcr:all denied > > Groups: > > curl -u admin:admin http://localhost:8080/home/groups.2.json | jq > { > "jcr:primaryType": "rep:AuthorizableFolder", > "tenants": { > "jcr:primaryType": "rep:AuthorizableFolder", > "HDE3HZ3kFOirj8vCLpgj5": { > "jcr:primaryType": "rep:Group", > "jcr:mixinTypes": [ > "rep:AccessControllable" > ], > "jcr:createdBy": "admin", > "jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700", > "rep:principalName": "all_tenants", > "jcr:uuid": "c273e21f-1cf9-3f59-80e8-a760e7930b8d", > "rep:members": [ > "3c23d2bf-61a4-3204-bde0-6a3e86d2d04b", > "42cd1880-d41d-3b27-ab4a-f0235da1715c", > "00344a23-f67d-3f6b-951e-71c2ae5e0482", > "ef43d954-cf0d-3d61-9ab2-b9a5259619c0", > "a197e96b-cf2b-3cbd-bab4-103bd0e1646d" > ], > "rep:authorizableId": "all_tenants" > }, > "QMRo8OL5zNSaHnA4zK4YV": { > "jcr:primaryType": "rep:Group", > "jcr:mixinTypes": [ > "rep:AccessControllable" > ], > "jcr:createdBy": "peregrine-service-user", > "jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700", > "rep:principalName": "perm_17_group", > "jcr:uuid": "a197e96b-cf2b-3cbd-bab4-103bd0e1646d", > "rep:members": [ > "6e0b16ee-cdf4-3a65-9a22-951b7828ce52" > ], > "rep:authorizableId": "perm_17_group" > }, > > Users: > > curl -u admin:admin http://localhost:8080/home/users.2.json | jq > { > "jcr:primaryType": "rep:AuthorizableFolder", > "tenants": { > "jcr:primaryType": "rep:AuthorizableFolder", > "7G1VbW9W5bThqIYQRNFbH": { > "jcr:primaryType": "rep:User", > "jcr:mixinTypes": [ > "rep:AccessControllable" > ], > "jcr:createdBy": "peregrine-service-user", > "rep:password": > "{SHA-256}e6a0e743c84a57c9-1000-097a1bab311072202e27e03b4561b5238909a2426c708da982b85a5d78f02fba", > "jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700", > "rep:principalName": "perm_17_user", > "jcr:uuid": "6e0b16ee-cdf4-3a65-9a22-951b7828ce52", > "rep:authorizableId": "perm_17_user" > }, > > EACL List: > > curl -u admin:admin http://localhost:8080/content/perm_17.eacl.json | jq > { > "perm_17_group": { > "principal": "perm_17_group", > "granted": [ > "jcr:all" > ], > "order": 0 > }, > "all_tenants": { > "principal": "all_tenants", > "denied": [ > "jcr:all" > ], > "order": 1 > }, > > Finally when I list the resources in /content for user perm_17_user then > it will not list perm_17: > > curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | > jq > > When I replace the group with the user to grant jcr:all then it does > return that resource: > > curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | > jq > { > "jcr:primaryType": "sling:OrderedFolder", > "jcr:mixinTypes": [ > "rep:AccessControllable" > ], > "jcr:createdBy": "admin", > "jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700", > "nodejs": { > "jcr:primaryType": "sling:Folder", > "jcr:createdBy": "admin", > "jcr:title": "Sling Node Package Manager", > "jcr:created": "Thu Apr 23 2020 15:59:49 GMT-0700", > "jcr:description": "Sling Node Package Manager Content Root" > }, > "perm_17": { > "jcr:primaryType": "per:Site", > "jcr:mixinTypes": [ > "rep:AccessControllable" > ], > "jcr:title": "perm_17", > "template": false, > "sourceSite": "themecleanflex", > "internal": false > > This looks like the group membership of the user is not checked against > the group. > Is there anything I do wrong, it this a known issue or a bug? > > Cheers - Andy Schaefer > >
