Tobias Bocanegra created OAK-3351: ------------------------------------- Summary: Add ability to prioritise restriction to where it matches Key: OAK-3351 URL: https://issues.apache.org/jira/browse/OAK-3351 Project: Jackrabbit Oak Issue Type: Improvement Components: security Reporter: Tobias Bocanegra Assignee: Tobias Bocanegra
Consider the following use case: A node, and not its subtree, should be protected from removal, if it contains a defined property. a custom jcr:protected so to speak. The idea is to create a restriction provider that enables the ACE when the property is set. for example: {noformat} allow rep:read,rep:write /a deny jcr:removeNode /a hasProperty=protect-me allow jcr:removeNode /a hasProperty=!protect-me {noformat} the _allow_ is needed so that the child nodes of a protected node are still removable, if they are not protected themselves. The problem is now, that the ACE does not apply where it matches, but where it is defined. so assume we have a node {{/a/b/c}} protected. the ACE in {{/a}} would then match the node, but also the parent {{/a/b}} if it is not protected would match the allow rule, since the REMOVE_NODE is a permission that also needs to check the REMOVE_CHILDNODES privilege on the parent. And since the allow ACE is after the deny one, it wins. So either the parent-check needs to be delayed to a later stage, or we can define that an ACE with restriction can be sorted in a way that it applies where it matches, so that it looks like the ACE was specified on {{/a/b/c}} -- This message was sent by Atlassian JIRA (v6.3.4#6332)