On Tue, Jul 6, 2010 at 10:21, Ian Boston <i...@tfd.co.uk> wrote: > A follow up on this, low level permissions wont work since they cant > discriminate between list children and get child.
Rereading your original mail now, I note that I didn't see that you still want the sub nodes to be accessible. Then my answer is no solution, of course ;-) I don't think it is a good idea to have things "accessible, but not discoverable". JCR access controls for sure aren't built to support this case (maybe a custom jackrabbit ACLProvider could be built, but not sure if it can really differentiate between say parent.getNodes() and session.getNode()). I don't know of anything out there that does this separation. But back to your actual use case: > eg > Anon, cant list the contents of /_user > /_user/ > > but can list the contents of > /_user/ieb > > and can download > /_user/ieb/myinfo.pdf > > and ieb can download > /_user/ieb/private/myinfo.pdf > > Also > Can webdav upload to > /_user/ieb > > but cant see all users at > /_user/ > > only sees > /_user/ieb > > > Also > cant see all children of /_user with > /.2.json There are two simple solutions I would see for this use case: - /_user and /_user/ieb are readable for anonymous, the other children of /_user are denied - if "ieb" is a user-specific path, you have to authenticate users and work with specific users instead of anonymous > I have done a filter that prevents http access to nodes by a property on that > node, its ugly, but works as required, but that leads me to 2 thoughts. > > 1. In the WebDav area: > > We could modify the webdav servlet to allow other bundles to provide an > implementation of SlingResourceConfig or ItemFilter in the Sling webdav > bundle or some other service implementation to provide filtering of webdav. > > 2. In the default Sling servlet a node property could be used to deny listing > of the children of a node. Just a note: I personally would restrain from building another access control mechanism into a higher layer (Sling vs. JCR), as it really complicates the overall system. At least I would object to put something like this into Sling. Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
