[jira] [Commented] (JCRVLT-522) Authorizable and authorization nodes applied even if filter rules exclude them
[ https://issues.apache.org/jira/browse/JCRVLT-522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479175#comment-17479175 ] Tobias Bocanegra commented on JCRVLT-522: - I think only *2.* is inconsistent, right? so this could be fixed, by no installing the ACL. > Authorizable and authorization nodes applied even if filter rules exclude them > -- > > Key: JCRVLT-522 > URL: https://issues.apache.org/jira/browse/JCRVLT-522 > Project: Jackrabbit FileVault > Issue Type: Improvement > Components: Packaging >Affects Versions: 3.4.10 >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.5.10 > > > Currently the filter rules are not fully evaluated prior to applying ACLs (in > rep:policy and rep:repoPolicy files). According to JCRVLT-372 this is a bug. > The same is true for authorizable nodes (compare with JCRVLT-71). > The exact install behaviour is as follows (given that the ACHandling is not > IGNORE): > > || ||Path in Filter?||Effect||Example ACL Path(s)||Example Content Node > Path(s)|| > ||1|Contained in > filter|Installed|/testroot/node_a/rep:policy|/testroot/node_a|| > ||2|Not contained in filter, but ancestor is > contained|Installed|/testroot/secured/rep:policy|testroot/secured|| > ||3|Neither path nor ancestor is contained in filter|Not > Installed|/test2/rep:policy|/test2|| > ||4|Path is not contained in filter, ancestor is not contained either, but > node affected by ACLs is contained|Not > Installed|/testroot/rep:policy|/testroot|| > The example columns assume the following filter.xml > {code} > > > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (JCRVLT-522) Authorizable and authorization nodes applied even if filter rules exclude them
[ https://issues.apache.org/jira/browse/JCRVLT-522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479164#comment-17479164 ] Konrad Windszus commented on JCRVLT-522: [~tripod] Ping, how should we fix this inconsistent and unexpected behaviour? > Authorizable and authorization nodes applied even if filter rules exclude them > -- > > Key: JCRVLT-522 > URL: https://issues.apache.org/jira/browse/JCRVLT-522 > Project: Jackrabbit FileVault > Issue Type: Improvement > Components: Packaging >Affects Versions: 3.4.10 >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.5.10 > > > Currently the filter rules are not fully evaluated prior to applying ACLs (in > rep:policy and rep:repoPolicy files). According to JCRVLT-372 this is a bug. > The same is true for authorizable nodes (compare with JCRVLT-71). > The exact install behaviour is as follows (given that the ACHandling is not > IGNORE): > > || ||Path in Filter?||Effect||Example ACL Path(s)||Example Content Node > Path(s)|| > ||1|Contained in > filter|Installed|/testroot/node_a/rep:policy|/testroot/node_a|| > ||2|Not contained in filter, but ancestor is > contained|Installed|/testroot/secured/rep:policy|testroot/secured|| > ||3|Neither path nor ancestor is contained in filter|Not > Installed|/test2/rep:policy|/test2|| > ||4|Path is not contained in filter, ancestor is not contained either, but > node affected by ACLs is contained|Not > Installed|/testroot/rep:policy|/testroot|| > The example columns assume the following filter.xml > {code} > > > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (JCRVLT-522) Authorizable and authorization nodes applied even if filter rules exclude them
[ https://issues.apache.org/jira/browse/JCRVLT-522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414276#comment-17414276 ] Konrad Windszus commented on JCRVLT-522: [~tripod] Any opinion on how to change the installation behaviour for the cases listed in the table of this issue's description? > Authorizable and authorization nodes applied even if filter rules exclude them > -- > > Key: JCRVLT-522 > URL: https://issues.apache.org/jira/browse/JCRVLT-522 > Project: Jackrabbit FileVault > Issue Type: Improvement > Components: Packaging >Affects Versions: 3.4.10 >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.5.4 > > > Currently the filter rules are not fully evaluated prior to applying ACLs (in > rep:policy and rep:repoPolicy files). According to JCRVLT-372 this is a bug. > The same is true for authorizable nodes (compare with JCRVLT-71). > The exact install behaviour is as follows (given that the ACHandling is not > IGNORE): > > || ||Path in Filter?||Effect||Example ACL Path(s)||Example Content Node > Path(s)|| > ||1|Contained in > filter|Installed|/testroot/node_a/rep:policy|/testroot/node_a|| > ||2|Not contained in filter, but ancestor is > contained|Installed|/testroot/secured/rep:policy|testroot/secured|| > ||3|Neither path nor ancestor is contained in filter|Not > Installed|/test2/rep:policy|/test2|| > ||4|Path is not contained in filter, ancestor is not contained either, but > node affected by ACLs is contained|Not > Installed|/testroot/rep:policy|/testroot|| > The example columns assume the following filter.xml > {code} > > > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (JCRVLT-522) Authorizable and authorization nodes applied even if filter rules exclude them
[ https://issues.apache.org/jira/browse/JCRVLT-522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17405888#comment-17405888 ] Konrad Windszus commented on JCRVLT-522: Even ACLs are not that simple, because if they are outside the filter, they might be discarded by https://github.com/apache/jackrabbit-filevault/blob/61e920f55e487aa5dc045c66ce5b7b5e444784ca/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java#L530. [~tripod] Can you help me understand the status quo better? > Authorizable and authorization nodes applied even if filter rules exclude them > -- > > Key: JCRVLT-522 > URL: https://issues.apache.org/jira/browse/JCRVLT-522 > Project: Jackrabbit FileVault > Issue Type: Improvement > Components: Packaging >Affects Versions: 3.4.10 >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.5.4 > > > Currently the filter rules are not evaluated prior to applying ACLs (in > rep:policy and rep:repoPolicy files). According to JCRVLT-372 this is a bug. > The same is true for authorizable nodes (compare with JCRVLT-71). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (JCRVLT-522) Authorizable and authorization nodes applied even if filter rules exclude them
[ https://issues.apache.org/jira/browse/JCRVLT-522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17405847#comment-17405847 ] Konrad Windszus commented on JCRVLT-522: The handling for authorizables during import look weird to me: - In case there doesn't exist yet an authorizable with the new ID, it will be created independent of filter rules (https://github.com/apache/jackrabbit-filevault/blob/61e920f55e487aa5dc045c66ce5b7b5e444784ca/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/DocViewSAXImporter.java#L725) - In case there is already an authorizable node and the to be imported authorizable is outside the filter the existing authorizable won't be touched (https://github.com/apache/jackrabbit-filevault/blob/61e920f55e487aa5dc045c66ce5b7b5e444784ca/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/DocViewSAXImporter.java#L750) [~tripod] Can you confirm this is desired behavior? Any need for doing adjustments here? > Authorizable and authorization nodes applied even if filter rules exclude them > -- > > Key: JCRVLT-522 > URL: https://issues.apache.org/jira/browse/JCRVLT-522 > Project: Jackrabbit FileVault > Issue Type: Improvement > Components: Packaging >Affects Versions: 3.4.10 >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.5.4 > > > Currently the filter rules are not evaluated prior to applying ACLs (in > rep:policy and rep:repoPolicy files). According to JCRVLT-372 this is a bug. > The same is true for authorizable nodes (compare with JCRVLT-71). -- This message was sent by Atlassian Jira (v8.3.4#803005)