[jira] [Resolved] (JCRVLT-721) Importing content packages with minimum permissions fails

Wed, 04 Oct 2023 01:00:04 -0700 


     [ 
https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus resolved JCRVLT-721.
------------------------------------
    Fix Version/s: 3.7.2
         Assignee: Konrad Windszus
       Resolution: Fixed

Fixed in 
https://github.com/apache/jackrabbit-filevault/commit/3fd7495594126785f5220bd8e3e3ef6ab6026d98.

Thanks a lot for the PR [~madamcin].

> Importing content packages with minimum permissions fails 
> ----------------------------------------------------------
>
>                 Key: JCRVLT-721
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-721
>             Project: Jackrabbit FileVault
>          Issue Type: Bug
>          Components: Packaging
>    Affects Versions: 3.7.0
>            Reporter: Ankita Agarwal
>            Assignee: Konrad Windszus
>            Priority: Major
>             Fix For: 3.7.2
>
>
> Importing Content Packages using a dedicated user (with minimum permissions) 
> has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
> This is a regression of issue JCRVLT-683 specifically to logic that has been 
> added to determine the root paths of groups and users in 
> JackrabbitACLManagement#determineAuthorizableRootPaths 
> ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
> The new logic creates a group and a user in order to determine the root paths 
> of groups and users and immediately deletes them afterward.
> This is a bad solution as it breaks the Principle of Least Permission (PoLP): 
> The user that is being used to import content should not have permission to 
> create and delete users and groups. 
> The root paths of users and groups are always initialized as /home/users and 
> /home/groups, so there is little need to determine root paths by creating and 
> deleting groups and users.
> ----
> *Steps to reproduce:* 
>  * You create a user that you use to import content. You give it all 
> permissions on /content
>  * When you import a content package that replaces existing content (= when 
> you import the same content package twice, and it has "replace" in its filter 
> definition), you will see that it fails with the error that it cannot access 
> the /home/groups or /home/users repository path
> ----
> *Expected Behavior:* Successful content package imports
> ----
> *Experienced Behavior:* Content package imports that succeeded before now 
> fail with AccessDeniedExceptions 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to