Eric Norman created SLING-9807:
----------------------------------
Summary: AuthorizablePrivilegesInfo is checking for too may
privileges for some of the operations
Key: SLING-9807
URL: https://issues.apache.org/jira/browse/SLING-9807
Project: Sling
Issue Type: Bug
Reporter: Eric Norman
Assignee: Eric Norman
Fix For: JCR Jackrabbit User Manager 2.2.12
canRemove - should required only these privileges:
# jcr:read
# rep:userManagement
canUpdateGroupMembers - should require only these privileges:
# jcr:read
# rep:userManagement
canUpdateProperties - should require only these privileges:
* when adding a new (non-nested) property
## rep:addProperties
* when adding a new nested property
## rep:addProperties
## jcr:addChildNodes
* when altering an existing property
## rep:alterProperties
* when removing a property
## rep:removeProperties
For canRemove and canUpdateGroupMembers this can be solved by reducing the set
of privileges it is checking for. For canUpdateProperties, a new variation of
that method should be introduced where the user can pass in the types of
property updates are expected to be needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
