[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771198#comment-17771198 ]
Konrad Windszus commented on JCRVLT-721: ---------------------------------------- bq. The root paths of users and groups are always initialized as /home/users and /home/groups, so there is little need to determine root paths by creating and deleting groups and users. This is not true. That path is configurable in Oak (compare with https://jackrabbit.apache.org/oak/docs/security/user/default.html#configuration {{PARAM_USERS_PATH}} and {{PARAM_GROUP_PATH}}), particularly the default is {{/rep:security/rep:authorizables/rep:users}} and {{/rep:security/rep:authorizables/rep:groups}} respectively. Unfortunately there is no API to determine the authorizable root path. But I am open for other suggestions on how to implement this. > Importing content packages with minimum permissions fails > ---------------------------------------------------------- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging > Affects Versions: 3.7.0 > Reporter: Ankita Agarwal > Priority: Major > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > ---- > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > ---- > *Expected Behavior:* Successful content package imports > ---- > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)