Re: Controlling who can modify groups.

Thu, 06 Aug 2009 03:49:46 -0700 


On 4 Aug 2009, at 10:27, Ian Boston wrote:



On 3 Aug 2009, at 18:44, Ian Boston wrote:


Hi,
Is there a standard way to control who can modify a group in the Jackrabbit User Manager Impl.
IIUC, there appears to be a Group (default GroupAdmin) that grant the user write access to *all* groups, but no way of granting a user administrative rights over a subset of all groups. 

Is this correct, or have a missed something ?

Ian
On the basis that delegated administration of selected groups is not possible, would the following patch be a "safe" thing to do in the UserAccessControlProvider. NB, this is *not* a request to patch Jackrabbit code, its just question regarding the sanity of the approach. 

in UserAccessControlProvider#CompiledPermissionsImpl.buildResult(...)

           } else if (groupsPath.equals(abs2Path)) {
               /*
               below group-tree:
               - test if the user is group-administrator.
               */
               if (isGroupAdmin) {
                   allows = Permission.ALL;
                   if (calcPrivs) {
                       privs |= PrivilegeRegistry.WRITE;
                   }
               } else {

// new code to allow group administration delegation
// check the group node to see if there are a list of admin groups. 
                 Node node = (NodeImpl) getExistingNode(path);
                 if ( node.hasProperty(GROUPS_PROPERTY) ) {
Property groups = node.getProperty(GROUPS_PROPERTY); 
                   for ( Value group : groups.getValues() ) {
                     String groupName = group.getString();
                     if ( containsGroup(userPrincipals, groupName)) {
                       allows = Permission.ALL;
                       if (calcPrivs) {
                           privs |= PrivilegeRegistry.WRITE;
                       }
                       break;
                     }
                   }
                 }
// end new code
               }


           } // else outside of user/group tree -> read only.
return new Result(allows, denies, privs, PrivilegeRegistry.NO_PRIVILEGE); 
       }

Ian
Sadly this is a complete non starter since the groups property attached to a user node in the UserManager subtree eg /rep:security/ rep:authorizables/rep:users/rep:admin/nico1249552834/rep:groups, is where group membership is stored, and at the point of asserting the permissions all that can be derived is that the property is being changed, not which group(s) are being added or removed so there is no way of doing delegated groups administration in the current Jackrabbit UserManager. The user performing the modification has to be a member of both the UserAdmin group and the GroupAdmin group... and they they get permissions to admin *all* groups and *all* users in the system. 

Ian

Reply via email to