Angela Schreiber created OAK-9763:
-------------------------------------
Summary: Allow for restrictions evaluation against set of
effective principal
Key: OAK-9763
URL: https://issues.apache.org/jira/browse/OAK-9763
Project: Jackrabbit Oak
Issue Type: New Feature
Components: authorization-principalbased, core, security, security-spi
Reporter: Angela Schreiber
Assignee: Angela Schreiber
Today it is not possible to plug a custom {{RestrictionProvider}} with
restrictions (or restriction-patterns for that matter) that would allow to
evaluate against the effective set of principals for which permission
evaluation is executed.
Reason: In contrast to
{{AuthorizationConfiguration.getPermissionProvider()}}{{AuthorizationConfiguration.getRestrictionProvider()}}
does not get the set of effective principals passed.
What is possible today is something like e.g.
{code}
allow everyone jcr:read on /content with restriction jcr:title = "abc"
{code}
What is not feasible today is something like
{code}
allow everyone jcr:read on /content with restriction ownerPropery =
currentPrincipal()
{code}
as the restriction evaluation today is agnostic of the principals for which the
restrictions are being evaluated.
This improvement aims for investigating what it would take to make the set of
principals available with the {{PermissionProvider}} available to the
{{RestrictionProvider}} during evaluation.
cc: [[email protected]]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
