Thanks Angela.
> in order to execute version operations a principal must
> have jcr:versionManagement privilege [1] on the corresponding
> versionable node.
I'm using an admin user, who has this privilege. And, indeed, the
checkin() works, and a new version is created. However, when I try to
add a label, I get a RepositoryException. If I remove the label call,
the checkin operation works just fine.
javax.jcr.RepositoryException: Forbidden
at
org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
at
org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
at
org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.execute(RepositoryServiceImpl.java:552)
at
org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.addVersionLabel(RepositoryServiceImpl.java:1766)
at
org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.visit(WorkspaceManager.java:1061)
at
org.apache.jackrabbit.jcr2spi.operation.AddLabel.accept(AddLabel.java:70)
at
org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.execute(WorkspaceManager.java:848)
at
org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.access$400(WorkspaceManager.java:793)
at
org.apache.jackrabbit.jcr2spi.WorkspaceManager.execute(WorkspaceManager.java:581)
at
org.apache.jackrabbit.jcr2spi.version.VersionManagerImpl.addVersionLabel(VersionManagerImpl.java:146)
at
org.apache.jackrabbit.jcr2spi.version.VersionHistoryImpl.addVersionLabel(VersionHistoryImpl.java:179)
at
wego.ecms.WGECMSDocumentManager.commitVersion(WGECMSDocumentManager.java:487)
I suppose this could be a bug in the davex remoting stack, on the
service side of the equation. Or is this expected by your
understanding?
>
> note however, that this only covers the execution. reading
> version related content is controlled by regular read permissions.
> one more thing to be aware of: version operations such as checkin
> also require read-access to the corresponding part of the version
> storage. this is rather cumbersome and covered by an jira issue [2]
I'm not entirely sure that I understand this, and the referenced
ticket. Are you saying that successful version control operations,
such as checkin, depend upon BOTH:
1) jcr:versionManagement on the node which will be versioned
AND
2) read access to the entire version tree, i.e. /jcr:system/jcr:versionStorage
I understand requirement one easily enough. And I think I understand
number two -- I'm using the Default . . . AccessManager,
SecurityManager and LoginModule, and I'm using admin/admin. I have
attached no ACL's to anything in the system tree, so I would expect
that my admin user has read permissions on the entire version tree.
Actually, I would expect that my other users also have read access on
that tree; perhaps I'm wrong here?
