[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16349096#comment-16349096
]
Kamil commented on JCR-3923:
Don't you think that it is rather unintuitive that "/" doesn't match the root
node?
I think this is the main issue...
Moreover - how do you want to differentiate between "matches node / only" and
"/ and all descendants"?
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348945#comment-16348945
]
Konrad Windszus commented on JCR-3923:
--
Done in https://issues.apache.org/jira/browse/OAK-7233.
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348911#comment-16348911
]
angela commented on JCR-3923:
-
[~kwin], can you file a documentation issue with
https://issues.apache.org/jira/projects/OAK then we can take care of explicitly
mentioning the concat-nature and highlight the fact that for the root-node a
leading / in the pattern won't work.
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348902#comment-16348902
]
Konrad Windszus commented on JCR-3923:
--
[~anchela] Thanks a lot for your hints. In our case it seems indeed like we are
using a {{rep:glob}} with a leading "/". Could you reference some documentation
which states how the rep:glob is exactly taken into consideration (which makes
it obvious that the rep:glob should never start with a "/")?
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348836#comment-16348836
]
angela commented on JCR-3923:
-
[~reschke], it should also work on the root node. I don't know about
jackrabbit-core but afaik it works with Oak (there should even be some test
case if i remember correctly). One common mistake though is that the specified
pattern is defined with a leading path, which on the root node will result in
an invalid path that is never matched as the GlobPattern just concatenates
string.
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348787#comment-16348787
]
Julian Reschke commented on JCR-3923:
-
I don't know this part of the code well enough to understand whether this is by
design or not ([~anchela]?).
That said, this is not code shared with Oak, but I see that Oak has a similar
class in
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[
https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348748#comment-16348748
]
Konrad Windszus commented on JCR-3923:
--
We are running into the same issue with Oak (1.6.2). Is this a known issue?
> Repository root doesn't respect rep:glob
>
>
> Key: JCR-3923
> URL: https://issues.apache.org/jira/browse/JCR-3923
> Project: Jackrabbit Content Repository
> Issue Type: Bug
>Reporter: Kamil
>Priority: Major
>
> I have following node structure:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> When I set Principal based privileges to some user as:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> where according to this documentation
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
> empty string means "matches /foo only", user can see only:
> {noformat}
> /test
> {noformat}
> without a child, which is correct. But when I set:
> {noformat}
> Map restrictions = new HashMap();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
>
> jacl.addEntry(principal, privileges, allow, restrictions);
>
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then user can see all descendants of root:
> {noformat}
> /test
> /test/child
> /foo
> {noformat}
> which is not correct
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
