Author: angela
Date: Wed Jan 16 16:46:38 2019
New Revision: 1851470
URL: http://svn.apache.org/viewvc?rev=1851470&view=rev
Log:
OAK-7982 : ACL.addEntry: check for mandatory restrictions only respects single
value restrictions (merging rev. 1851451)
Modified:
jackrabbit/oak/branches/1.10/ (props changed)
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Propchange: jackrabbit/oak/branches/1.10/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Jan 16 16:46:38 2019
@@ -1,2 +1,3 @@
/jackrabbit/oak/branches/1.0:1665962
+/jackrabbit/oak/trunk:1851451
/jackrabbit/trunk:1345480
Modified:
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java?rev=1851470&r1=1851469&r2=1851470&view=diff
==============================================================================
---
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
(original)
+++
jackrabbit/oak/branches/1.10/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
Wed Jan 16 16:46:38 2019
@@ -100,9 +100,17 @@ abstract class ACL extends AbstractAcces
}
for (RestrictionDefinition def :
getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
- String jcrName = getNamePathMapper().getJcrName(def.getName());
- if (def.isMandatory() && (restrictions == null ||
!restrictions.containsKey(jcrName))) {
- throw new AccessControlException("Mandatory restriction " +
jcrName + " is missing.");
+ if (def.isMandatory()) {
+ String jcrName = getNamePathMapper().getJcrName(def.getName());
+ boolean mandatoryPresent;
+ if (def.getRequiredType().isArray()) {
+ mandatoryPresent = (mvRestrictions != null &&
mvRestrictions.containsKey(jcrName));
+ } else {
+ mandatoryPresent = (restrictions != null &&
restrictions.containsKey(jcrName));
+ }
+ if (!mandatoryPresent) {
+ throw new AccessControlException("Mandatory restriction "
+ jcrName + " is missing.");
+ }
}
}
Modified:
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1851470&r1=1851469&r2=1851470&view=diff
==============================================================================
---
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++
jackrabbit/oak/branches/1.10/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Wed Jan 16 16:46:38 2019
@@ -830,17 +830,52 @@ public class ACLTest extends AbstractAcc
}
}
- @Test
+ @Test(expected = AccessControlException.class)
public void testMandatoryRestrictions() throws Exception {
RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
- try {
- acl.addEntry(testPrincipal, testPrivileges, false,
Collections.<String, Value>emptyMap());
- fail("Mandatory restriction must be enforced.");
- } catch (AccessControlException e) {
- // mandatory restriction missing -> success
- }
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.emptyMap());
+ }
+
+ @Test
+ public void testMandatoryRestrictionsPresent() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.singletonMap("mandatory", valueFactory.createValue("name",
PropertyType.NAME)), Collections.emptyMap());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testMandatoryRestrictionsPresentAsMV() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAME, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[]
{valueFactory.createValue("name", PropertyType.NAME)}));
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testMandatoryMVRestrictions() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAMES, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.emptyMap());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testMandatoryMVRestrictionsPresentAsSingle() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAMES, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.singletonMap("mandatory", valueFactory.createValue("name",
PropertyType.NAME)), Collections.emptyMap());
+ }
+
+ @Test
+ public void testMandatoryMVRestrictionsPresent() throws Exception {
+ RestrictionProvider rp = new TestRestrictionProvider("mandatory",
Type.NAMES, true);
+
+ JackrabbitAccessControlList acl = createACL(TEST_PATH, new
ArrayList(), namePathMapper, rp);
+ acl.addEntry(testPrincipal, testPrivileges, false,
Collections.emptyMap(), Collections.singletonMap("mandatory", new Value[]
{valueFactory.createValue("name", PropertyType.NAME)}));
}
//--------------------------------------------------------------------------
