Author: angela
Date: Wed Jan 16 15:23:00 2019
New Revision: 1851451
URL: http://svn.apache.org/viewvc?rev=1851451&view=rev
Log:
OAK-7982 : ACL.addEntry: check for mandatory restrictions only respects single
value restrictions
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java?rev=1851451&r1=1851450&r2=1851451&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
Wed Jan 16 15:23:00 2019
@@ -100,9 +100,17 @@ abstract class ACL extends AbstractAcces
}
for (RestrictionDefinition def :
getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
- String jcrName = getNamePathMapper().getJcrName(def.getName());
- if (def.isMandatory() && (restrictions == null ||
!restrictions.containsKey(jcrName))) {
- throw new AccessControlException("Mandatory restriction " +
jcrName + " is missing.");
+ if (def.isMandatory()) {
+ String jcrName = getNamePathMapper().getJcrName(def.getName());
+ boolean mandatoryPresent;
+ if (def.getRequiredType().isArray()) {
+ mandatoryPresent = (mvRestrictions != null &&
mvRestrictions.containsKey(jcrName));
+ } else {
+ mandatoryPresent = (restrictions != null &&
restrictions.containsKey(jcrName));
+ }
+ if (!mandatoryPresent) {
+ throw new AccessControlException("Mandatory restriction "
+ jcrName + " is missing.");
+ }
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1851451&r1=1851450&r2=1851451&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Wed Jan 16 15:23:00 2019
@@ -830,17 +830,52 @@ public class ACLTest extends AbstractAcc
}
}
- @Test
+ @Test(expected = AccessControlException.class)
public void testMandatoryRestrictions() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
- try {
- acl.addEntry(testPrincipal, testPrivileges, false,
Collections.<String, Value>emptyMap());
- fail("Mandatory restriction must be enforced.");
- } catch (AccessControlException e) {
- // mandatory restriction missing -> success
- }
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.emptyMap());
+ }
+
+ @Test
+ public void testMandatoryRestrictionsPresent() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.singletonMap("mandatory", valueFactory.createValue("name",
PropertyType.NAME)), Collections.emptyMap());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testMandatoryRestrictionsPresentAsMV() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[]
{valueFactory.createValue("name", PropertyType.NAME)}));
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testMandatoryMVRestrictions() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAMES, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.emptyMap());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testMandatoryMVRestrictionsPresentAsSingle() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAMES, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.singletonMap("mandatory", valueFactory.createValue("name",
PropertyType.NAME)), Collections.emptyMap());
+ }
+
+ @Test
+ public void testMandatoryMVRestrictionsPresent() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAMES, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[]
{valueFactory.createValue("name", PropertyType.NAME)}));
}
//--------------------------------------------------------------------------
