hi konrad happy new year and sorry for the delay in responding! restrictions are part of the permission evaluation. so read operations will respect restrictions upon access of items and write operations are checked by the PermissionValidator (i.e. during commit).
there are one or two limited cases where permissions are additionally checked in the JCR layer when the check was needed for JCR compliance but not possible in oak. the current restriction API does not allow to limit to/for certain principals. restrictions are not aware of the principal a given entry is evaluated for but are only aware of the path and the item the permissions applies to. in other words: if you want to reliably limit/allow writing of certain nodes for a given principal i don't think it's doable with restrictions today. you could bind an ACE for a given principal and a restriction to the root node but the effect might then be overwritten by a different entry down in the hierarchy. maybe you can elaborate a bit on the use case? maybe there is way to address this in a reliable way. kind regards angela ________________________________ From: Konrad Windszus <[email protected]> Sent: Wednesday, December 28, 2022 15:45 To: [email protected] <[email protected]> Subject: Authorisation Restrictions: When are those evaluated? EXTERNAL: Use caution when clicking on links or opening attachments. Hi, I haven’t found any hint in https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html on when the restrictions are being evaluated. Is it before the changes have been committed, afterwards or both? This is particularly crucial to know for restrictions evaluating properties which are modified through a commit (e.g. a node name through Session.move(…), a property value modification via Node.setProperty(…), a primary type change via Node.setPrimaryType()). For example is it possible to restrict writing of nodes with a particular type (irrespective of their location and parent node structure) to only a certain principal? Thanks in advance, Konrad
