[
https://issues.apache.org/jira/browse/JCR-3931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14998534#comment-14998534
]
Kamil commented on JCR-3931:
----------------------------
when I set READ access for "/foo" set as "folder and children" (rep:glob not
set) and revoke the access for "/foo/child" - then it work, but I really need
to have "Folder only" (rep:glob set to "") for /foo (because default behaviour
for children of "/foo" should be "disallow" and allow only for selected
children on demand")
> Denying access to child node results hiding property in parent
> --------------------------------------------------------------
>
> Key: JCR-3931
> URL: https://issues.apache.org/jira/browse/JCR-3931
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Affects Versions: 2.10.1
> Reporter: Kamil
>
> I create a node with a child:
> {noformat}
> /foo
> /foo/child
> {noformat}
> foo node has a property "myProp", so:
> {noformat}
> Node node = session.getNode("/foo");
> System.out.println(node.hasProperty("myProp"));
> {noformat}
> results in "true"
> Then I create new user and give him read access to /foo folder and /foo/child
> folder:
> {noformat}
> UserManager userManager = ((JackrabbitSession)session).getUserManager();
> Principal principal = userManager.createUser("test", "test").getPrincipal();
> JackrabbitAccessControlList jacl = null;
> JackrabbitAccessControlManager acManager = (JackrabbitAccessControlManager)
> session.getAccessControlManager();
> JackrabbitAccessControlPolicy[] policies = acManager.getPolicies(principal);
> if (policies.length == 0) {
> // No policies yet. Create one from the applicablePolicies
> policies = acManager.getApplicablePolicies(principal);
> }
> jacl = (JackrabbitAccessControlList) policies[0];
> Privilege[] privileges = new
> Privilege[]{acManager.privilegeFromName(Privilege.JCR_READ)};
> //foo
> Map<String, Value> restrictions = new HashMap<String, Value>();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/foo", PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
> jacl.addEntry(principal, privileges, true, restrictions);
> //foo/child
> restrictions = new HashMap<String, Value>();
> restrictions.put("rep:nodePath", vf.createValue("/foo/child",
> PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue(""));
> jacl.addEntry(principal, privileges, true, restrictions);
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> Now, if I log in as a test and read my property:
> {noformat}
> Session session = repository.login(new SimpleCredentials("test",
> "test".toCharArray()), workspace);
> Node node = session.getNode("/foo");
> System.out.println(node.hasProperty("myProp"));
> {noformat}
> this also results in true,
> BUT - when I remove access control entry for /foo/child and add another using
> allow=false:
> {noformat}
> AccessControlEntry[] accessControlEntries = jacl.getAccessControlEntries();
> AccessControlEntry result = null;
> for (AccessControlEntry accessControlEntry : accessControlEntries) {
>
> if(((JackrabbitAccessControlEntry)accessControlEntry).getRestriction("rep:nodePath").getString().equals("/foo/child")){
> result = accessControlEntry;
> }
> }
> jacl.removeAccessControlEntry(result);
> Privilege[] privileges = new
> Privilege[]{acManager.privilegeFromName(Privilege.JCR_READ)};
> Map<String, Value> restrictions = new HashMap<String, Value>();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/foo/child",
> PropertyType.PATH));
> jacl.addEntry(principal, privileges, false /*HERE*/, restrictions);
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> then
> {noformat}
> Session session = repository.login(new SimpleCredentials("test",
> "test".toCharArray()), workspace);
> Node node = session.getNode("/foo");
> System.out.println(node.hasProperty("myProp"));
> {noformat}
> results in "false" which I consider as a bug
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
