Hi,
This is Jackrabbit 1.5.6 I had a quick look at later versions and I
think what I am about to say holds for those later version.
My Jackrabbit deployment is in Sling.
I have been having a look at an ACL setup on a private subtree, and at
the moment it looks like this is not possible in Jackrabbit/Sing, but
before I go and try and make it work, I would like to verify some
things.
1. IIUC, the DefaultAccessControlManager (DACM) does not allow deny on
a group, so if everyone is granted read at the root node, then they
cannot be denied read in any subnode.
2. Everyone has to be granted read at the root node, since they will
need to read the whole path to any Resource. (Sling)
3. If there is any anonymous browse of the URL tree, then anonymous
also needs read at the root node.
4. Denying anonymous read is easy, as its a user principal and so can
be applied in an ACL only effecting anonymous.
So, as it stands it looks like its not possible to make a sub tree
private from authenticated users, but it can be made private from
individual users.
---
If I patch the DACM et al to allow denied permissions on groups I can
now add an ACL with everyone:denied:jcr:all, however, now no one can
access the node or subtree.
IIUC, when that is processed "everyone" contains all authenticated
user, including the user I explicitly granted access. IMHO, if there
isnt a bug in the DACM et al, then permissions should be compiled at a
node giving preference to users, followed by groups, allowing an
explicit grant to a user to override a group deny.
Does that make sense ?
If this works, what are the chances of getting this into JR 1.5.x, I
think it is a genuine use case, or is there a different way of
achieving the same result ?
Thanks
Ian
