[jira] [Commented] (JCRVLT-427) Allow installation of packages with hook for users without admin privileges

Tue, 21 Apr 2020 04:57:40 -0700 


    [ 
https://issues.apache.org/jira/browse/JCRVLT-427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17088620#comment-17088620
 ] 

Angela Schreiber commented on JCRVLT-427:
-----------------------------------------

[~kwin], [~henzlerg], [~tripod], i am not sure i am familiar with the hooks you 
are referring to, so my comments might be a bit vague. but here we go:

- permissions are granted to principals and not to users/groups as identified 
by the jackrabbit user management. so, if you talk about a configuration option 
that is related to some permissions check, i probably should take principal 
names. note, that users/groups from the user management might not be the only 
type of principals known to the repository and you probably want to be able to 
include any kind of principals there irrespective of the source.
- composite nodestore: the read-only nature of the configured immutable stores 
is not tied to permission evaluation. they are immutable irrespective of the 
effective permissions granted to a given set of principals as generated upon 
login.
- if the permission setup is done properly the limitation to administrative 
principals would most likely not be needed at all.... i don't know why the 
limitation is in place but it might be a good thing to review why it was needed 
in the first place and fix the root cause if the permission setup is considered 
not to be safe enough.

hope that helps

> Allow installation of packages with hook for users without admin privileges
> ---------------------------------------------------------------------------
>
>                 Key: JCRVLT-427
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-427
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: vlt
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>            Priority: Major
>             Fix For: 3.4.6
>
>
> Currently due to the check in 
> https://github.com/apache/jackrabbit-filevault/blob/e257001ec22ea06bcc987cbf79f0cc9b15c4e186/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/ZipVaultPackage.java#L184
>  packages containing a hook can only be installed by admins.
> Although I do understand the intent of that I think this is not flexible 
> enough as currently that only gives the rights to users "admin", "system" or 
> members of group "administrators". Instead there should be an OSGi 
> configuration which allows to configure to grant the right to install 
> packages with hooks to other groups as well!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to