Yes, the ordering matters as checking stops as soon as the first match is found. I'm not sure that a policy contribution would be sufficient as this is a core security behaviour.
See [http://www.nuxeo.org/static/book-draft/ch11.html] Extract from that book... h3. 11.4.2. Ordering of ACLs and ACEs We mentioned before that an ACP is a list of ACLs and an ACL is a list of ACEs. That was true, but not all the information you need to understand how they work; both of these lists are +ordered+ and the order is signficant to the resulting access control that is applied by NUxeo. Let's start with a typical example of ACL. Suppose the ordered list of ACEs that make up this example are: <ol><li> GRANT, WRITE, User: Mary </li> <li> DENY, READ, User: Joe </li> <li> GRANT, READ, Group: Members </li> </ol> It should be fairly clear the goal of this ACL in English is, "Everybody in the Nuxeo system can read this document except Joe. In addition, Mary can write to it." When evaluating whether Joe can read the document, Nuxeo stops checking when it finds the first rule that applies to the user in question. Thus, starting from 1, Joe will be denied READ access but if the order were reversed - since Joe is a member of the group 'Members' - Joe would be granted read access. Processing of the ACE list would stop as soon as a match occurred, and that would be when the group rule was encountered. -- Posted by "bgrant" at Nuxeo Discussions <http://nuxeo.org/discussions> View the complete thread: <http://www.nuxeo.org/discussions/thread.jspa?threadID=3806#11660> _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
