On 3/17/10 5:27 AM, Ian Boston wrote:
I just noticed that AccessControlUtil.replaceAccessControlEntry searches for a
match on ACE within an ACL using the principal only. (and not the grant or deny
as well)
So if there was a grant acl and the replacement is a deny, then the grant is
removed, even if the deny did not deny what was granted (I think I better give
and example :) )
before
grant:ieb:jcr:write
update with
deny:ieb:jcr:nodeTypeManagement
after update
deny:ieb:jcr:nodeTypeManagement
That would be a bug -- the method's documented intent is not to
interfere with any grants or denies on unmentioned privileges (after
disaggregation). Looks like the integration test may be missing a case.
Best,
Ray
----
I think, the ACLTemplate in JCR2 will support
grant:ieb:jcr:write
deny:ieb:jcr:nodeTypeManagement
in a single ACL, perhaps the replace should look at both the principal and the
allow/deny
WDYT?
Ian
