Sean Curtis created SLING-12298: ----------------------------------- Summary: Repoinit Script Not Respecting the Order of ACLs in set ACL Key: SLING-12298 URL: https://issues.apache.org/jira/browse/SLING-12298 Project: Sling Issue Type: Bug Components: Repoinit Affects Versions: Repoinit JCR 1.1.38, Repoinit Parser 1.6.14 Reporter: Sean Curtis
In short, the Repoinit parser doesn't appear to respect the order of deny-allow in the set ACL commands. I had a script like so: {code:java} // code placeholder { "scripts": [ "create group test-fragments-editors with path /home/groups/forms", "set ACL on /content/dam/formsanddocuments/<project>\n remove * for forms-users\n deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\n allow jcr:read,crx:replicate for forms-users restriction(rep:glob,/<fragments_root>)\n allow jcr:all for test-fragments-editors restriction(rep:glob,/<fragments_root>)\nend", "set ACL on /content/forms/af/<project>\n remove * for forms-users\n deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\n allow jcr:read,crx:replicate for forms-users restriction(rep:glob,/<fragments_root>)\n allow jcr:all restriction(rep:glob,/<fragments_root>)for test-fragments-editors\nend"" ] } {code} I would expect the resulting nodes would match the order defined in the script, like so: {code:java} // expected node output under /content/dam|forms/formsanddocuments|af/<project> -rep:policy - deny (forms-useers) - allow1 (forms-users) - allow2 (test-fragments-editors) {code} But instead it was: {code:java} // example node output under /content/dam|forms/formsanddocuments|af/<project> -rep:policy - allow (test-fragments-editors) - deny1 (forms-users) - allow2 (forms-users){code} Which resulted in a user who is a member of both groups being assigned the more restrictive permissions. For it to work, I had to put each deny-allow in a separate set ACL line like so: {code:java} // code placeholder { "scripts": [ "create group test-fragments-editors with path /home/groups/forms", "set ACL on /content/dam/formsanddocuments/<project>\n remove * for forms-users\nend", "set ACL on /content/dam/formsanddocuments/<project>\n deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\nend", "set ACL on /content/dam/formsanddocuments/<project>\n allow jcr:read,crx:replicate for forms-users restriction(rep:glob,/<fragments_root>)\nend", "set ACL on /content/dam/formsanddocuments/<project>\n allow jcr:all for test-fragments-editors restriction(rep:glob,/<fragments_root>)\nend", ... ] } {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)