Ankita Agarwal created JCRVLT-721:
-------------------------------------
Summary: Importing content packages with minimum permissions fails
Key: JCRVLT-721
URL: https://issues.apache.org/jira/browse/JCRVLT-721
Project: Jackrabbit FileVault
Issue Type: Bug
Components: Packaging
Affects Versions: 3.7.0
Reporter: Ankita Agarwal
Importing Content Packages using a dedicated user (with minimum permissions)
has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
This is a regression of issue JCRVLT-683 specifically to logic that has been
added to determine the root paths of groups and users in
JackrabbitACLManagement#determineAuthorizableRootPaths
([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
The new logic creates a group and a user in order to determine the root paths
of groups and users and immediately deletes them afterward.
This is a bad solution as it breaks the Principle of Least Permission (PoLP):
The user that is being used to import content should not have permission to
create and delete users and groups.
The root paths of users and groups are always initialized as /home/users and
/home/groups, so there is little need to determine root paths by creating and
deleting groups and users.
----
*Steps to reproduce:*
* You create a user that you use to import content. You give it all
permissions on /content
* When you import a content package that replaces existing content (= when you
import the same content package twice, and it has "replace" in its filter
definition), you will see that it fails with the error that it cannot access
the /home/groups or /home/users repository path
----
*Expected Behavior:* Successful content package imports
----
*Experienced Behavior:* Content package imports that succeeded before now fail
with AccessDeniedExceptions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
