[jira] [Created] (SLING-12298) Repoinit Script Not Respecting the Order of ACLs in set ACL

Wed, 17 Apr 2024 12:01:46 -0700 

Sean Curtis created SLING-12298:
-----------------------------------

             Summary: Repoinit Script Not Respecting the Order of ACLs in set 
ACL
                 Key: SLING-12298
                 URL: https://issues.apache.org/jira/browse/SLING-12298
             Project: Sling
          Issue Type: Bug
          Components: Repoinit
    Affects Versions: Repoinit JCR 1.1.38, Repoinit Parser 1.6.14
            Reporter: Sean Curtis


In short, the Repoinit parser doesn't appear to respect the order of deny-allow 
in the set ACL commands.

 

I had a script like so:

 
{code:java}
// code placeholder
{
    "scripts": [
        "create group test-fragments-editors with path /home/groups/forms",
        "set ACL on /content/dam/formsanddocuments/<project>\n   remove * for 
forms-users\n  deny jcr:all for forms-users 
restriction(rep:glob,/<fragments_root>)\n    allow jcr:read,crx:replicate for 
forms-users restriction(rep:glob,/<fragments_root>)\n    allow jcr:all for 
test-fragments-editors restriction(rep:glob,/<fragments_root>)\nend",
        "set ACL on /content/forms/af/<project>\n   remove * for forms-users\n  
deny jcr:all for forms-users restriction(rep:glob,/<fragments_root>)\n    allow 
jcr:read,crx:replicate for forms-users 
restriction(rep:glob,/<fragments_root>)\n    allow jcr:all 
restriction(rep:glob,/<fragments_root>)for test-fragments-editors\nend""
    ]
} {code}
 

I would expect the resulting nodes would match the order defined in the script, 
like so:
{code:java}
// expected node output under /content/dam|forms/formsanddocuments|af/<project>
-rep:policy
- deny (forms-useers)
- allow1 (forms-users)
- allow2 (test-fragments-editors) {code}
 

But instead it was:

 
{code:java}
// example node output under /content/dam|forms/formsanddocuments|af/<project>
-rep:policy
    - allow (test-fragments-editors)
    - deny1 (forms-users)
    - allow2 (forms-users){code}
 

Which resulted in a user who is a member of both groups being assigned the more 
restrictive permissions. For it to work, I had to put each deny-allow in a 
separate set ACL line like so:
{code:java}
// code placeholder
{
    "scripts": [
        "create group test-fragments-editors with path /home/groups/forms",
        "set ACL on /content/dam/formsanddocuments/<project>\n   remove * for 
forms-users\nend",
        "set ACL on /content/dam/formsanddocuments/<project>\n   deny jcr:all 
for forms-users restriction(rep:glob,/<fragments_root>)\nend",
        "set ACL on /content/dam/formsanddocuments/<project>\n    allow 
jcr:read,crx:replicate for forms-users 
restriction(rep:glob,/<fragments_root>)\nend",
        "set ACL on /content/dam/formsanddocuments/<project>\n   allow jcr:all 
for test-fragments-editors restriction(rep:glob,/<fragments_root>)\nend",
        ...
    ]
} {code}
 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to