On 3 Aug 2009, at 18:44, Ian Boston wrote:
Hi,
Is there a standard way to control who can modify a group in the
Jackrabbit User Manager Impl.
IIUC, there appears to be a Group (default GroupAdmin) that grant
the user write access to *all* groups, but no way of granting a user
administrative rights over a subset of all groups.
Is this correct, or have a missed something ?
Ian
On the basis that delegated administration of selected groups is not
possible, would the following patch be a "safe" thing to do in the
UserAccessControlProvider. NB, this is *not* a request to patch
Jackrabbit code, its just question regarding the sanity of the
approach.
in UserAccessControlProvider#CompiledPermissionsImpl.buildResult(...)
} else if (groupsPath.equals(abs2Path)) {
/*
below group-tree:
- test if the user is group-administrator.
*/
if (isGroupAdmin) {
allows = Permission.ALL;
if (calcPrivs) {
privs |= PrivilegeRegistry.WRITE;
}
} else {
// new code to allow group administration delegation
// check the group node to see if there are a list
of admin groups.
Node node = (NodeImpl) getExistingNode(path);
if ( node.hasProperty(GROUPS_PROPERTY) ) {
Property groups =
node.getProperty(GROUPS_PROPERTY);
for ( Value group : groups.getValues() ) {
String groupName = group.getString();
if ( containsGroup(userPrincipals, groupName)) {
allows = Permission.ALL;
if (calcPrivs) {
privs |= PrivilegeRegistry.WRITE;
}
break;
}
}
}
// end new code
}
} // else outside of user/group tree -> read only.
return new Result(allows, denies, privs,
PrivilegeRegistry.NO_PRIVILEGE);
}
Ian
