[jira] [Commented] (OAK-2412) Rep:glob in Access Control List Entry with empty value is not correcty handled

Thu, 22 Jan 2015 06:44:04 -0800 

    [ 
https://issues.apache.org/jira/browse/OAK-2412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14287523#comment-14287523
 ] 

angela commented on OAK-2412:
-----------------------------

In fact I wrote yet another test-case to also reflect the fact that you are 
inheriting permissions through group membership and will attach the test later 
on. The result was the same as above.

However, I found today out while working on another issue, that 
{{Node.getPrimaryType}} will throws an exception if access to the primary type 
property (jcr:primaryType) is denied, which is the case if you have an empty 
string glob pattern. In Jackrabbit 2.x however accessing the primary (and the 
mixin types) was in this case successful if the regular JCR API call was used 
even if accessing the property itself was denied. This looks like a regression 
wrt Jackrabbit 2.x (though one might argue that the behavior as shown by Oak 
was 'correct') and it might well be that AEM is relying on the Jackrabbit 
behavior. I will track this in a separate issue and resolve this issue.

> Rep:glob in Access Control List Entry with empty value is not correcty handled
> ------------------------------------------------------------------------------
>
>                 Key: OAK-2412
>                 URL: https://issues.apache.org/jira/browse/OAK-2412
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.0.5
>            Reporter: Roland Gruber
>            Assignee: angela
>         Attachments: OAK-2412_testJackrabbit.patch, 
> OAK-2412_testJackrabbit_2.patch, OAK-2412_testOak.patch, 
> OAK-2412_testOak_2.patch, acl_baseNode.png, acl_project1Node.png, 
> acl_project2Node.png
>
>
> Setting a rep:glob with empty value ("") should restrict an ACL entry to the 
> current node. This seems to no longer work (working wiith CRX2).
> See:
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> How to reproduce:
> 1. Set a deny rule on a node with jcr:read and no rep:glob
> 2. Set an allow rule to the same node with rep:glob ""
> Expected result: Node is readable (subnodes are not readable)
> Actual result: Node is not readable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to