hi jukka
i am not talking about commit hooks but rather about regular
JCR item access and write operations with a non-admin session.
there we can't guarantee that a given session as full read
permission on the complete tree and may even face the situation
were read access is only granted in given subtree. that's the
use case i am referring to and it's only here where we violate
backwards compatibility if that session can't read on the
mentioned subtrees underneath jcr:system. as far as i remember
the specification doesn't make any statements regarding
restricted access to namespaces or nodetypes, so we may look
for the solution that fits our needs the best.
if we can agree on a backwards compatible setup, the easiest thing
probably was to allow read access for node types, namespaces and
privileges without having to create a separated ACL for all of
those.
kind regards
angela
On 4/22/13 11:02 AM, Jukka Zitting wrote:
Hi,
On Mon, Apr 22, 2013 at 11:22 AM, Angela Schreiber<[email protected]> wrote:
now, as of oak all of them are stored and accessed in the repository
and are consequently affected by regular item read access which
basically breaks backwards compatibility.
Note that the commit hooks and things like search indices work below
access controls, so they can in any case see the full /jcr:system
subtree and any repository metadata stored there.
The only bits that would be affected in the odd case where an
administrator would deny read access to something like the
/jcr:system/jcr:nodeTypes subtree would be the JCR-level
NodeTypeRegistry implementation and related methods. That might well
break some clients, but so would an administrator explicitly modifying
the builtin nodetypes file in Jackrabbit 2.x.
So at best I'd simply document that to keep an Oak repository
backwards compatible and JCR compliant, one shouldn't apply extra read
access controls on the repository metadata stored under /jcr:system.
There shouldn't be any need to explicitly enforce that in code.
If needed, I wouldn't be opposed to having an explicit access control
entry in /jcr:system that grants everyone read access to that subtree,
excluding version histories and other sensitive areas that in any case
are handled separately. Ideally I don't think that should be needed
though, as IMO content should be readable by default, unless
explicitly denied by access control.
BR,
Jukka Zitting
