Hi Ian, I am having trouble reproducing what you have described. I added a new unit test in r924618 to test the scenario you described and it appears to work correctly for me. Can you check the new unit test to see if there are some extra steps in your use case that I am missing?
Regards, -Eric On Wed, Mar 17, 2010 at 9:02 AM, Ray Davis <[email protected]> wrote: > On 3/17/10 5:27 AM, Ian Boston wrote: > >> I just noticed that AccessControlUtil.replaceAccessControlEntry searches >> for a match on ACE within an ACL using the principal only. (and not the >> grant or deny as well) >> >> So if there was a grant acl and the replacement is a deny, then the grant >> is removed, even if the deny did not deny what was granted (I think I better >> give and example :) ) >> >> >> before >> >> grant:ieb:jcr:write >> >> update with >> >> deny:ieb:jcr:nodeTypeManagement >> >> after update >> >> deny:ieb:jcr:nodeTypeManagement >> > > That would be a bug -- the method's documented intent is not to interfere > with any grants or denies on unmentioned privileges (after disaggregation). > Looks like the integration test may be missing a case. > > Best, > Ray > > > >> >> ---- >> >> I think, the ACLTemplate in JCR2 will support >> >> grant:ieb:jcr:write >> deny:ieb:jcr:nodeTypeManagement >> > > > > >> in a single ACL, perhaps the replace should look at both the principal and >> the allow/deny >> WDYT? >> >> Ian >> > >
