Hi Andy Glad I could help!
Regards Julian On Fri, Apr 24, 2020 at 4:34 PM Andreas Schaefer <[email protected]> wrote: > > Hi Julian > > Darn, that was the ticket. I was so convinced that the top permission would > win that I never tried that. > So reordering the permission so that the tenant group is last in the list of > policies does do what I want. > > I am sorta missing the view in AEM that shows which permission is applied. > > Thanks - Andy > > > On Apr 24, 2020, at 1:04 AM, Julian Sedding <[email protected]> wrote: > > > > Hi > > > > I get the impression that you assume an “allow” has precedence over “deny”. > > I am pretty sure that “user” permissions have precedence over “group” > > permissions, but otherwise the order of the ACL is relevant (last wins). > > Try reordering your ACL and see if that helps. > > > > Regards > > Julian > > > > > > On Fri, 24 Apr 2020 at 07:52, Andreas Schaefer <[email protected]> > > wrote: > > > >> Hi > >> > >> I might doing something wrong but I am running into issues with Sling > >> resource permissions. This is my setup: > >> > >> - User: perm_17_user > >> - Group: perm_17_group > >> - Group: tenant_all > >> - User is part of both groups > >> - Everyone has read access to / > >> - Resource: /content/perm_17 > >> - perm_17_group has jar:all granted > >> - tenant_all has jcr:all denied > >> > >> Groups: > >> > >> curl -u admin:admin http://localhost:8080/home/groups.2.json | jq > >> { > >> "jcr:primaryType": "rep:AuthorizableFolder", > >> "tenants": { > >> "jcr:primaryType": "rep:AuthorizableFolder", > >> "HDE3HZ3kFOirj8vCLpgj5": { > >> "jcr:primaryType": "rep:Group", > >> "jcr:mixinTypes": [ > >> "rep:AccessControllable" > >> ], > >> "jcr:createdBy": "admin", > >> "jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700", > >> "rep:principalName": "all_tenants", > >> "jcr:uuid": "c273e21f-1cf9-3f59-80e8-a760e7930b8d", > >> "rep:members": [ > >> "3c23d2bf-61a4-3204-bde0-6a3e86d2d04b", > >> "42cd1880-d41d-3b27-ab4a-f0235da1715c", > >> "00344a23-f67d-3f6b-951e-71c2ae5e0482", > >> "ef43d954-cf0d-3d61-9ab2-b9a5259619c0", > >> "a197e96b-cf2b-3cbd-bab4-103bd0e1646d" > >> ], > >> "rep:authorizableId": "all_tenants" > >> }, > >> "QMRo8OL5zNSaHnA4zK4YV": { > >> "jcr:primaryType": "rep:Group", > >> "jcr:mixinTypes": [ > >> "rep:AccessControllable" > >> ], > >> "jcr:createdBy": "peregrine-service-user", > >> "jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700", > >> "rep:principalName": "perm_17_group", > >> "jcr:uuid": "a197e96b-cf2b-3cbd-bab4-103bd0e1646d", > >> "rep:members": [ > >> "6e0b16ee-cdf4-3a65-9a22-951b7828ce52" > >> ], > >> "rep:authorizableId": "perm_17_group" > >> }, > >> > >> Users: > >> > >> curl -u admin:admin http://localhost:8080/home/users.2.json | jq > >> { > >> "jcr:primaryType": "rep:AuthorizableFolder", > >> "tenants": { > >> "jcr:primaryType": "rep:AuthorizableFolder", > >> "7G1VbW9W5bThqIYQRNFbH": { > >> "jcr:primaryType": "rep:User", > >> "jcr:mixinTypes": [ > >> "rep:AccessControllable" > >> ], > >> "jcr:createdBy": "peregrine-service-user", > >> "rep:password": > >> "{SHA-256}e6a0e743c84a57c9-1000-097a1bab311072202e27e03b4561b5238909a2426c708da982b85a5d78f02fba", > >> "jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700", > >> "rep:principalName": "perm_17_user", > >> "jcr:uuid": "6e0b16ee-cdf4-3a65-9a22-951b7828ce52", > >> "rep:authorizableId": "perm_17_user" > >> }, > >> > >> EACL List: > >> > >> curl -u admin:admin http://localhost:8080/content/perm_17.eacl.json | jq > >> { > >> "perm_17_group": { > >> "principal": "perm_17_group", > >> "granted": [ > >> "jcr:all" > >> ], > >> "order": 0 > >> }, > >> "all_tenants": { > >> "principal": "all_tenants", > >> "denied": [ > >> "jcr:all" > >> ], > >> "order": 1 > >> }, > >> > >> Finally when I list the resources in /content for user perm_17_user then > >> it will not list perm_17: > >> > >> curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | > >> jq > >> > >> When I replace the group with the user to grant jcr:all then it does > >> return that resource: > >> > >> curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | > >> jq > >> { > >> "jcr:primaryType": "sling:OrderedFolder", > >> "jcr:mixinTypes": [ > >> "rep:AccessControllable" > >> ], > >> "jcr:createdBy": "admin", > >> "jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700", > >> "nodejs": { > >> "jcr:primaryType": "sling:Folder", > >> "jcr:createdBy": "admin", > >> "jcr:title": "Sling Node Package Manager", > >> "jcr:created": "Thu Apr 23 2020 15:59:49 GMT-0700", > >> "jcr:description": "Sling Node Package Manager Content Root" > >> }, > >> "perm_17": { > >> "jcr:primaryType": "per:Site", > >> "jcr:mixinTypes": [ > >> "rep:AccessControllable" > >> ], > >> "jcr:title": "perm_17", > >> "template": false, > >> "sourceSite": "themecleanflex", > >> "internal": false > >> > >> This looks like the group membership of the user is not checked against > >> the group. > >> Is there anything I do wrong, it this a known issue or a bug? > >> > >> Cheers - Andy Schaefer > >> > >> >
