On Tue, Jul 6, 2010 at 16:42, Ian Boston <i...@tfd.co.uk> wrote:
> I understand the principal based ACLs (or at least I think I do). I will have
> to integrate it into the extension of the Standard ACE/ACE
> AccessControlProvider since in this workspace we also need the normal ACL and
> IIRC the repository.xml does not allow you to configure more than one
> AccessControlProvider per workspace ?
There is a
org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider
that combines both the default resource-based provider
(org.apache.jackrabbit.core.security.authorization.acl.ACLProvider)
and the principal-one. Not sure exactly in which order both are
applied, though. But if you don't mix principal- and resource-based
ACLs for certain subtrees, it shouldn't be a problem at all.
> I *will* give this a go, however
> I cant see how this will work when the AccessManager/AccessControlProvider
> does not discriminate between a listChildNodes call and a getNode call ?
>
> IIRC The Sling ResourceResolver impl requires jcr:read to all the elements of
> a path leading to a node, not just the final node. I remember looking at the
> resolution process and seeing it walk up path.
As I said above, listing child nodes in getNodes() will check the read
permission on each child node before including it.
But for your use case it is not even necessary to separate the two
cases at all, since these are _different_ child nodes, IIUC. The one
with access is the user's node under /_user/foo, and all the others
under /_user (expressed by /_user/* in the resource based ACLs) are
not readable for the user:
Node users = session.getNode("/_user"); // works
users.getNodes(); // returns only "/_user/foo"
session.getNode("/_user/foo"); // works, too
session.getNode("/_user/bar"); // no rights => PathNotFoundException
Or am I missing something in your use case?
> Let me do the work and validate is this is the case or not. (after all, I was
> the one asking the question, so I should be prepared to spend time checking a
> possible solution :))
Ok, hope it works out as a good solution for you!
Regards,
Alex
--
Alexander Klimetschek
alexander.klimetsc...@day.com
