hi marco On 23/03/17 09:08, "Marco Piovesana" <pioves...@esteco.com> wrote:
>Hi all, I was trying to change the permissions on a *versioned* node and i >found two things that I don't quite understand: >1) If i try to do an AccessControlUtils.addAccessControlEntry(...) i got >an >error if the node in not checked-out (and this seems consistent with what >written on JCR-1639 ><https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.a >pache.org%2Fjira%2Fbrowse%2FJCR-1639&data=02%7C01%7C%7C01fba7b52c3d4f6e5b1 >408d471c6bde3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636258545789584 >278&sdata=Q3h1IR0CUjcHWF87kf2YGCrzIHlhO7Gve0F44w6QRPg%3D&reserved=0>). afaik this is covered by the "VersionEditor" that asserts that versionable nodes are checked-out when changes occur. >However I can do an AccessControlUtils.clear(...) without any error. Why? looking at the "VersionEditor" class it seems that the check is only performed for the following operations: - propertyAdded(PropertyState) - propertyChanged(PropertyState, PropertyState) - propertyDeleted(PropertyState) however not for - childNodeAdded(String name, NodeState after) - childNodeRemoved(String name, NodeState after) since i am not the author of that code, i don't know the reason for this... would have expected the same check to be performed there. >Aren't they both changing the ACL? yes... are you calling save and thus make sure you trigger the 'VersionEditor'? if you do, my guess would be that it's may not trigger the checkin-state-verifying methods if the whole subtree is removed... but that's just a wild guess... i didn't verify.... if that was really the case that might be a bug in the versioning code. > >2) When I do AccessControlUtils.addAccessControlEntry(...) the error that >i >receive is: *OakVersion0001: Cannot add property jcr:mixinTypes on checked >in node*. Why a change on the ACL should change the *jcr:mixinTypes*? My >node was already versionable. the utility method will create a new policy node (if not yet present) which in the default implementation includes adding a mixin type to the access controlled node... but it's not really relevant here... if it wasn't for the mixin type it would fail for some other property being added. a checked-in node is immutable which includes any modifications related to access control management. > >One last question: if I want to change the permissions without having to >check-out the node what I have to do? (I can do that by setting the >*jcr:mixinTypes* to *IGNORE* but i don't think is the right way... or >not?) you can't change the access control content associated with a checked-in node. you have to check it out before making any modifications. regarding the missing OakVersion exception wrt removal of nodes, may i kindly ask you to verify if you actually persist the changes? if you do and no exception is raised that might highlight an issue in the versioning. kind regards angela > > >Marco.
