[ https://issues.apache.org/jira/browse/JCR-3931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14998534#comment-14998534 ]
Kamil commented on JCR-3931: ---------------------------- when I set READ access for "/foo" set as "folder and children" (rep:glob not set) and revoke the access for "/foo/child" - then it work, but I really need to have "Folder only" (rep:glob set to "") for /foo (because default behaviour for children of "/foo" should be "disallow" and allow only for selected children on demand") > Denying access to child node results hiding property in parent > -------------------------------------------------------------- > > Key: JCR-3931 > URL: https://issues.apache.org/jira/browse/JCR-3931 > Project: Jackrabbit Content Repository > Issue Type: Bug > Affects Versions: 2.10.1 > Reporter: Kamil > > I create a node with a child: > {noformat} > /foo > /foo/child > {noformat} > foo node has a property "myProp", so: > {noformat} > Node node = session.getNode("/foo"); > System.out.println(node.hasProperty("myProp")); > {noformat} > results in "true" > Then I create new user and give him read access to /foo folder and /foo/child > folder: > {noformat} > UserManager userManager = ((JackrabbitSession)session).getUserManager(); > Principal principal = userManager.createUser("test", "test").getPrincipal(); > JackrabbitAccessControlList jacl = null; > JackrabbitAccessControlManager acManager = (JackrabbitAccessControlManager) > session.getAccessControlManager(); > JackrabbitAccessControlPolicy[] policies = acManager.getPolicies(principal); > if (policies.length == 0) { > // No policies yet. Create one from the applicablePolicies > policies = acManager.getApplicablePolicies(principal); > } > jacl = (JackrabbitAccessControlList) policies[0]; > Privilege[] privileges = new > Privilege[]{acManager.privilegeFromName(Privilege.JCR_READ)}; > //foo > Map<String, Value> restrictions = new HashMap<String, Value>(); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/foo", PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > jacl.addEntry(principal, privileges, true, restrictions); > //foo/child > restrictions = new HashMap<String, Value>(); > restrictions.put("rep:nodePath", vf.createValue("/foo/child", > PropertyType.PATH)); > restrictions.put("rep:glob", vf.createValue("")); > jacl.addEntry(principal, privileges, true, restrictions); > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > Now, if I log in as a test and read my property: > {noformat} > Session session = repository.login(new SimpleCredentials("test", > "test".toCharArray()), workspace); > Node node = session.getNode("/foo"); > System.out.println(node.hasProperty("myProp")); > {noformat} > this also results in true, > BUT - when I remove access control entry for /foo/child and add another using > allow=false: > {noformat} > AccessControlEntry[] accessControlEntries = jacl.getAccessControlEntries(); > AccessControlEntry result = null; > for (AccessControlEntry accessControlEntry : accessControlEntries) { > > if(((JackrabbitAccessControlEntry)accessControlEntry).getRestriction("rep:nodePath").getString().equals("/foo/child")){ > result = accessControlEntry; > } > } > jacl.removeAccessControlEntry(result); > Privilege[] privileges = new > Privilege[]{acManager.privilegeFromName(Privilege.JCR_READ)}; > Map<String, Value> restrictions = new HashMap<String, Value>(); > ValueFactory vf = session.getValueFactory(); > restrictions.put("rep:nodePath", vf.createValue("/foo/child", > PropertyType.PATH)); > jacl.addEntry(principal, privileges, false /*HERE*/, restrictions); > acManager.setPolicy(jacl.getPath(), jacl); > session.save(); > {noformat} > then > {noformat} > Session session = repository.login(new SimpleCredentials("test", > "test".toCharArray()), workspace); > Node node = session.getNode("/foo"); > System.out.println(node.hasProperty("myProp")); > {noformat} > results in "false" which I consider as a bug -- This message was sent by Atlassian JIRA (v6.3.4#6332)