[
https://issues.apache.org/jira/browse/OAK-7952?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved OAK-7952.
-------------------------
Resolution: Invalid
> JCR System users do no longer consider group ACEs of groups they are member of
> ------------------------------------------------------------------------------
>
> Key: OAK-7952
> URL: https://issues.apache.org/jira/browse/OAK-7952
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.8.3
> Reporter: Konrad Windszus
> Priority: Major
> Attachments: OAK-7952_test-servlet.java
>
>
> In Oak 1.8.3 the JCR system users (JCR-3802) do no longer consider the access
> control entries bound to a group principal (belonging to a group they are
> member of). Only direct ACEs seem to be considered.
> I used the attached simple servlet to test read access of an existing
> service-user "workflow-service". Unfortunately it throws a
> {{javax.jcr.PathNotFoundException}} although the service user should inherit
> read access to the accessed path via its group membership. It works
> flawlessly in case the system user has direct read access to that path.
> Some more information about {{SlingRepository.createServiceSession(...)}}.
> Internally the service user implementation does a lookup of the actual
> service user name and then does impersonation from a new admin session
> (https://github.com/apache/sling-org-apache-sling-jcr-base/blob/de884b669836aacb2666da1e7bae1a6735de3bdb/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository2.java#L197)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
