[
https://issues.apache.org/jira/browse/OAK-9775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9775:
----------------------------------
Component/s: authorization-principalbased
security-spi
> ACEs with unsupported restrictions must be cleared upon editing
> ---------------------------------------------------------------
>
> Key: OAK-9775
> URL: https://issues.apache.org/jira/browse/OAK-9775
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: authorization-principalbased, core, security,
> security-spi
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Critical
> Fix For: 1.44.0
>
>
> if the tree presentation of an access control list contains restrictions that
> are not supported the restriction provider will ignore them upon reading the
> policy from the content repository.
> this will lead to ACEs being generated that contain an incomplete restriction
> set. however, the access control manager fails to detect them as incomplete
> or invalid, which upon editing of the policy will lead to
> - incomplete ACEs being written back _or_
> - AccessControlValidator failing in case the incomplete ACEs result in
> duplications
> instead ACEs containing unsupported restrictions must be detected and removed
> from the policy upon editing (with a error being logged).
> how to get there:
> - custom restrictions being written to the repository and the custom
> restriction provider being uninstalled from the security setup
> - using newer restrictions and then using that repository content with an
> older oak version that doesn't support those restrictions
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
