Hi,
On Thu, Jul 1, 2010 at 1:52 PM, Ian Boston <[email protected]> wrote:
> ...I want to be able to stop the listing of all child nodes at specific urls,
> but still allow direct access to items in a subtree.
> Any ideas how this is best done in Sling? (and webdav)...
I'm fairly ignorant about the internals of access control in
Jackrabbit, so let me go on with a naive "ideal world" idea.
I'll let others find out if that's implementable ;-)
One thing that bugs me in JCR is the lack of the "user owner" and
"group owner" concepts of unix filesystems - I find those very useful
to solve such cases. So my first suggestion would be to introduce
those concept, ideally allowing multiple groups to own a node.
> Anon, cant list the contents of /_user
> /_user/
Deny a (custom? new?) "list child nodes" permission on /_user to anon
>
> but can list the contents of
> /_user/ieb
Session.getNode("/_user/ieb") works because that doesn't require
calling getNodes() on /_user, so "list child nodes" permission not
needed.
>
> and can download
> /_user/ieb/myinfo.pdf
For the same reason
>
> and ieb can download
> /_user/ieb/private/myinfo.pdf
I think you mean "only ieb", in that case I'd set "user owner=ieb" and
"only user owner can read" on /_user/ieb/private
> Can webdav upload to
> /_user/ieb
Yes, because that doesn't require the "list child nodes" permission -
upload must only check for no conflicts with existing nodes (tricky?)
>
> but cant see all users at
> /_user/
because "list child nodes" is denied on /_user/
> only sees
> /_user/ieb
as above
> Also
> cant see all children of /_user with
> /.2.json
because "list child nodes" is denied on /_user/
Dreaming aloud hey?
I often find that's the best way to look for solutions...
-Bertrand
