Sure, I'll add a JIRA for it with the test case. One more question, if I want to separate the versioning of the node from the permission policy on it, can I set the OPV to ignore for the relative rep:policy node? Or that just doesn't work?
Marco On Wed, Oct 31, 2018 at 8:52 AM Angela Schreiber <[email protected]> wrote: > Hi Marco > > Upon checkin of a versionable node (and it's non-versionable subtree) > becomes read-only. I think the first behavior is a bug. Changing > permissions of a checked-in node should not be possible. The reason why you > are seeing it in the second case is due to the fact that a mixin is > automatically added to the checked-in node. But also the modification of > access control content in the subtree should trigger the exception (which > it doesn't apparently) > > Here a quote from the specification: > The node N and its connected non-versionable subtree become read-only. N's > connected non-versionable subtree is the set of non-versionable descendant > nodes reachable from N through child links without encountering any > versionable nodes. In other words, the read-only status flows down from the > checked-in node along every child link until either a versionable node is > encountered or an item with no children is encountered. > > Since the policy node and the access controlled content stored therein is > not versionable the checkin status of it's versionable parent (or ancestor > for that matter) should be enforced. > > May I ask you to create a JIRA ticket for that? > Thanks > Angela > > ________________________________________ > From: Marco Piovesana <[email protected]> > Sent: Tuesday, October 30, 2018 7:05 PM > To: [email protected] > Subject: ACL on versioned node > > Hi all, > I'm using Oak 1.8.1 and I don't think I fully understand how permissions > are handled in versioned nodes. > > If I create the first version of a node *after* adding an ACE to it, then I > can add or remove other ACE without having to checkout the node. > > If I create the first version of the node *before* adding the first ACE, > then I get the error (*OakVersion0001: Cannot change property > jcr:mixinTypes on checked in node*) whenever i try to modify the node > permissions without checking it out first. > > what is the expected behavior? Checkout should be required or not to modify > the user's permission on the node? > > Marco.
