[ https://issues.apache.org/jira/browse/OAK-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved OAK-5947. ------------------------- Resolution: Fixed Fix Version/s: 1.7.0 Committed revision 1793646. > Allowing non-admin user to set repository permissions fails > ----------------------------------------------------------- > > Key: OAK-5947 > URL: https://issues.apache.org/jira/browse/OAK-5947 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core > Affects Versions: 1.0, 1.2, 1.4.0, 1.6.0 > Reporter: Julian Sedding > Assignee: angela > Fix For: 1.7.0, 1.8 > > Attachments: OAK-5947.patch, OAK-5947-tests.patch, > SetRepoPolicyTest.patch > > > Given a user principal {{testUser}} is granted {{jcr:readAccessControl}} and > {{jcr:modifyAccessControl}} on the repository ({{rep:repoPolicy}}), I would > expect that this user can e.g. allow {{everyone}} the > {{jcr:namespaceManagement}} permission on the repository. > Currently this fails with the following exception: > {noformat} > javax.jcr.PathNotFoundException: No tree at null > at > org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.getTree(AbstractAccessControlManager.java:163) > at > org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.getApplicablePolicies(AccessControlManagerImpl.java:184) > at > org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$7.perform(AccessControlManagerDelegator.java:121) > at > org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$7.perform(AccessControlManagerDelegator.java:117) > at > org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208) > at > org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.getApplicablePolicies(AccessControlManagerDelegator.java:117) > at > org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.getApplicablePolicies(JackrabbitAccessControlManagerDelegator.java:147) > at > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils.getAccessControlList(AccessControlUtils.java:128) > at > org.apache.jackrabbit.oak.jcr.SetRepoPolicyPermissionsTest.setRepositoryPermissions(SetRepoPolicyPermissionsTest.java:85) > .... > {noformat} > or after granting {{jcr:read}} on {{/}}: > {noformat} > javax.jcr.AccessDeniedException > at org.apache.jackrabbit.oak.util.NodeUtil.addChild(NodeUtil.java:113) > at > org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setNodeBasedAcl(AccessControlManagerImpl.java:289) > at > org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:220) > at > org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.performVoid(AccessControlManagerDelegator.java:132) > at > org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274) > at > org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:129) > at > org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:152) > at > org.apache.jackrabbit.oak.jcr.SetRepoPolicyPermissionsTest.setRepositoryPermissions(SetRepoPolicyPermissionsTest.java:90) > .... > {noformat} -- This message was sent by Atlassian JIRA (v6.3.15#6346)