Hi,
I'm playing around with the Sling Oak restriction feature and I can't seem to
get it working.
The simple case I'm trying right now is to allow a user 'alice' to have full
access to all nodes at or below nodes with Sling resource type 'foo'. Here's
the test procedure I'm following:
1.) Fire up sling-starter 11 and log into the Composum browser as admin.
2.) Add a user 'alice'.
3.) Add permission jcr:read to '/' for alice so she can browse in Composum.
4.) Create a sling:Folder node '/content/data' with Sling resource type 'foo'.
5.) Create a sling:Folder node '/content/data/child1' with Sling resource type
'foo'.
6.) For the '/content/data' node, add a permission with principal 'alice', rule
'allow', privileges 'jcr:all', and restrictions
'sling:resourceTypesWithDescendants=foo'.
7.) In a separate browser, log in as alice and go to Composum.
8.) As alice, try to create the node '/content/data/child2'.
Expected: User 'alice' can create the node.
Actual: The Composum "Create New Node" dialog displays the error "Error 400
javax.jcr.AccessDeniedException: OakAccess0000: Access denied" and the node is
not created.
If I check effective permissions in Composum for /content/data and
/content/data/child1, I see that 'alice' does receive jcr:all for both nodes.
Further, I can perform this check either as admin or alice, whereas I cannot
look at permissions on /content as alice.
If I try the Sling POST servlet as alice to create the node, I get a different
exception "org.apache.sling.api.resource.PersistenceException: Resource at
'/content/data/foo' is not modifiable."
Am I misunderstanding something about how restrictions work? Thank you for any
guidance you can offer!
John
The stack trace for the failure when creating via Composum is:
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000:
Access denied
at
org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:210)
[org.apache.jackrabbit.oak-core:1.8.8]
at
org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:148)
[org.apache.jackrabbit.oak-core:1.8.8]
at
org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:106)
[org.apache.jackrabbit.oak-store-spi:1.8.8]
at
org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32)
[org.apache.jackrabbit.oak-store-spi:1.8.8]
The stack trace for Sling POST is:
org.apache.sling.api.resource.PersistenceException: Resource at
'/content/data/child2' is not modifiable.
at
org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114)
at
org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:372)
[org.apache.sling.servlets.post:2.3.26]
at
org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:93)
[org.apache.sling.servlets.post:2.3.26]
at
org.apache.sling.servlets.post.impl.operations.AbstractPostOperation.run(AbstractPostOperation.java:99)
[org.apache.sling.servlets.post:2.3.26]
at
org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:228)
[org.apache.sling.servlets.post:2.3.26]
