On Fri, Jul 2, 2010 at 12:26, Ian Boston <i...@tfd.co.uk> wrote:
>
> On 2 Jul 2010, at 10:41, Alexander Klimetschek wrote:
>
>> On Fri, Jul 2, 2010 at 11:29, Bertrand Delacretaz
>> <bdelacre...@apache.org> wrote:
>>>> Anon, cant list the contents of /_user
>>>> /_user/
>>>
>>> Deny a (custom? new?) "list child nodes" permission on /_user to anon
>>
>> Currently you would have to deny the jcr:read permission on all child
>> nodes to get this effect.
>
>
> Unfortunately one of the other requirements has been lost in the thread.
>
> /_user/ieb/public/x.pdf
>
> must be readable by anon.
This should work with the principle-based auth, given a proper order
of the rules, afaik.
> IIIUC, anon jcr:read deny on /_user/ieb will prevent anon from accessing
> /_user/ieb/public
> and
> /_user/ieb/public/x.pdf
>
> since all elements of the path must be readable.
>
>
> The ACL that is required on /_user is
> anon:deny:jcr:list-child-nodes
> anon:grant:jcr:read
>
> so that anon can still do
> session.getNode("/_user/ieb")
>
> but not
> Node n = session.getNodes("/_user");
> NodeIterator ni = n.getChildNodes();
>
>
> I have a feeling this is just not possible in JCR2 at the AccessManager level
> since it cant distinguish between a direct request and a listing request, can
> you confirm ?
Conceptually there is no "listing request". When you list sub nodes,
you get all nodes that you have access to. Thus there is a single
"jcr:read" permission which means access to this node and its
properties.
Regards,
Alex
--
Alexander Klimetschek
alexander.klimetsc...@day.com
