[jira] [Commented] (OAK-709) Consider moving permission evaluation to the node state level

Fri, 05 Apr 2013 03:30:20 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13623508#comment-13623508
 ] 

angela commented on OAK-709:
----------------------------

> In most normal cases the majority of nodes in a repository only inherit 
> access settings from their ancestors and have no direct ACL settings on 
> themselves or any of their descendants.

yes... but just from looking a given node state you don't know in advance if 
there are 
policies set on the descendants. this is where the readstatus comes into place. 
only if
it's really known that there are not policies left further down in the hierarchy
and there are not extra restrictions present in the policy-ancestry that may 
apply
to individual child nodes somewhere down in hierarchy, we can skip the 
securenodestate.

with the extra permission store it's possible to calculate that inherited 
information 
but it would not know if there is no 'other' access control content present 
down in the
tree as it only is aware of the actual permissions of a given subject.
it was possible to determine that 'can-read-really-everything' if READ_AC 
permission
was made a precondition for having ALLOW_ALL read status or if we further refine
to readstatus to distinguish between "can read all regular nodes" and "no 
further check required at all".
only for the latter we can skip the SecureNodeState
                
> Consider moving permission evaluation to the node state level
> -------------------------------------------------------------
>
>                 Key: OAK-709
>                 URL: https://issues.apache.org/jira/browse/OAK-709
>             Project: Jackrabbit Oak
>          Issue Type: Sub-task
>          Components: core
>            Reporter: angela
>         Attachments: 
> 0001-OAK-709-Consider-moving-permission-evaluation-to-the.patch, 
> 0001-OAK-709-Consider-moving-permission-evaluation-to-the.patch, 
> 0001-OAK-709-Consider-moving-permission-evaluation-to-the.patch, 
> 0001-OAK-709-Consider-moving-permission-evaluation-to-the.patch, 
> OAK-709_2.patch, OAK-709_3.patch, OAK-709-equals_hack.patch, OAK-709.patch, 
> SecureNodeState.java
>
>


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to