Hi
This is a shortened version of
https://stackoverflow.com/questions/54280740/adding-restrictions-to-acls-yields-empty-results-for-queries-in-jackrabbit-oak
I'm looking for information on Jackrabbit Oak's restriction management w.r.t.
security. This primarily stems from a specific case below where I receive some
unexpected results, as I did not expect a query to filter away the results it
did.
Using the following repository structure below:
/
node [nt:unstructured]
subnode [nt:unstructured]
On 'node', I add an access control entry with privilege 'JCR_ALL' for 'user'
(with principal 'user') together with a restriction for rep:glob -> "", such
that user do not have access to the children - in this case, only 'subnode'.
It works as expected when using session.getNode for 'user':
- session.getNode("/node") returns the node
- session.getNode("/node/subnode") throws PathNotFoundException as expected due
to the restriction.
However, when I execute the following JCR-SQL2 query as 'user':
SELECT * FROM [nt:unstructured]
I get no results back. Here I would have expected to get /node, as it is
otherwise available when using session.getNode. Removing the restriction yields
the expected result of both /node and /node/subnode.
I'm using Oak version 1.10.0.
If anybody is able to provide some insight into why this is not the case, it
would be greatly appreciated. With that said, I really appreciate the thorough
documentation on your website.
Thanks in advance,
Søren
