[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16349096#comment-16349096 ] Kamil commented on JCR-3923: Don't you think that it is rather unintuitive that "/" doesn't match the root node? I think this is the main issue... Moreover - how do you want to differentiate between "matches node / only" and "/ and all descendants"? > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348945#comment-16348945 ] Konrad Windszus commented on JCR-3923: -- Done in https://issues.apache.org/jira/browse/OAK-7233. > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348911#comment-16348911 ] angela commented on JCR-3923: - [~kwin], can you file a documentation issue with https://issues.apache.org/jira/projects/OAK then we can take care of explicitly mentioning the concat-nature and highlight the fact that for the root-node a leading / in the pattern won't work. > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348902#comment-16348902 ] Konrad Windszus commented on JCR-3923: -- [~anchela] Thanks a lot for your hints. In our case it seems indeed like we are using a {{rep:glob}} with a leading "/". Could you reference some documentation which states how the rep:glob is exactly taken into consideration (which makes it obvious that the rep:glob should never start with a "/")? > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348836#comment-16348836 ] angela commented on JCR-3923: - [~reschke], it should also work on the root node. I don't know about jackrabbit-core but afaik it works with Oak (there should even be some test case if i remember correctly). One common mistake though is that the specified pattern is defined with a leading path, which on the root node will result in an invalid path that is never matched as the GlobPattern just concatenates string. > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348787#comment-16348787 ] Julian Reschke commented on JCR-3923: - I don't know this part of the code well enough to understand whether this is by design or not ([~anchela]?). That said, this is not code shared with Oak, but I see that Oak has a similar class in https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/GlobPattern.java > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (JCR-3923) Repository root doesn't respect rep:glob
[ https://issues.apache.org/jira/browse/JCR-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16348748#comment-16348748 ] Konrad Windszus commented on JCR-3923: -- We are running into the same issue with Oak (1.6.2). Is this a known issue? > Repository root doesn't respect rep:glob > > > Key: JCR-3923 > URL: https://issues.apache.org/jira/browse/JCR-3923 > Project: Jackrabbit Content Repository > Issue Type: Bug >Reporter: Kamil >Priority: Major > > I have following node structure: > {noformat} > /test > /test/child > /foo > {noformat} > When I set Principal based privileges to some user as: > {noformat} > Maprestrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/test", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > where according to this documentation > http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html > empty string means "matches /foo only", user can see only: > {noformat} > /test > {noformat} > without a child, which is correct. But when I set: > {noformat} > Map restrictions = new HashMap (); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > > jacl.addEntry(principal, privileges, allow, restrictions); > > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then user can see all descendants of root: > {noformat} > /test > /test/child > /foo > {noformat} > which is not correct -- This message was sent by Atlassian JIRA (v7.6.3#76005)