[
https://issues.apache.org/jira/browse/OAK-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Davide Giannella updated OAK-8101:
----------------------------------
Fix Version/s: (was: 1.11.0)
> AccessControlValidator prevents alternative authorization models to use
> restrictions
> ------------------------------------------------------------------------------------
>
> Key: OAK-8101
> URL: https://issues.apache.org/jira/browse/OAK-8101
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core, security
> Reporter: angela
> Assignee: angela
> Priority: Major
> Fix For: 1.12.0
>
> Attachments: OAK-8101.patch
>
>
> [~stillalex], while working on an authorization related PoC I noticed that
> the {{AccessControlValidator}} present with the default implementation
> essentially prevents additional authorization models to make use of the
> default {{RestrictionProvider}} implementation that stores restrictions in a
> dedicated tree of type _rep:Restrictions_. It does so by asserting that a
> {{NodeState}} with this primary type is always located below an access
> control entry with the format defined by the default impl before validating
> the restrictions.
> This could e.g. be fixed as follows:
> - if the parent {{NodeState}} is indeed an entry as defined by the default
> implementation -> validate using implementation details
> - otherwise: throw {{CommitFailedException}} if the parent {{NodeState}} does
> not denotes an access control tree as defined by the (composite) {{Context}}.
> This would allow other models to make use of restrictions and validate them
> accordingly, while still failing the commit if an isolated restriction tree
> was spotted i.e. one outside of the access control context.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
