[ https://issues.apache.org/jira/browse/OAK-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Davide Giannella closed OAK-8101. --------------------------------- bulk close 1.12.0 > AccessControlValidator prevents alternative authorization models to use > restrictions > ------------------------------------------------------------------------------------ > > Key: OAK-8101 > URL: https://issues.apache.org/jira/browse/OAK-8101 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core, security > Reporter: angela > Assignee: angela > Priority: Major > Fix For: 1.12.0 > > Attachments: OAK-8101.patch > > > [~stillalex], while working on an authorization related PoC I noticed that > the {{AccessControlValidator}} present with the default implementation > essentially prevents additional authorization models to make use of the > default {{RestrictionProvider}} implementation that stores restrictions in a > dedicated tree of type _rep:Restrictions_. It does so by asserting that a > {{NodeState}} with this primary type is always located below an access > control entry with the format defined by the default impl before validating > the restrictions. > This could e.g. be fixed as follows: > - if the parent {{NodeState}} is indeed an entry as defined by the default > implementation -> validate using implementation details > - otherwise: throw {{CommitFailedException}} if the parent {{NodeState}} does > not denotes an access control tree as defined by the (composite) {{Context}}. > This would allow other models to make use of restrictions and validate them > accordingly, while still failing the commit if an isolated restriction tree > was spotted i.e. one outside of the access control context. -- This message was sent by Atlassian JIRA (v7.6.3#76005)