On 6 Jul 2010, at 16:01, Alexander Klimetschek wrote: > On Tue, Jul 6, 2010 at 16:42, Ian Boston <[email protected]> wrote: >> I understand the principal based ACLs (or at least I think I do). I will >> have to integrate it into the extension of the Standard ACE/ACE >> AccessControlProvider since in this workspace we also need the normal ACL >> and IIRC the repository.xml does not allow you to configure more than one >> AccessControlProvider per workspace ? > > There is a > org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider > that combines both the default resource-based provider > (org.apache.jackrabbit.core.security.authorization.acl.ACLProvider) > and the principal-one. Not sure exactly in which order both are > applied, though. But if you don't mix principal- and resource-based > ACLs for certain subtrees, it shouldn't be a problem at all. > >> I *will* give this a go, however >> I cant see how this will work when the AccessManager/AccessControlProvider >> does not discriminate between a listChildNodes call and a getNode call ? >> >> IIRC The Sling ResourceResolver impl requires jcr:read to all the elements >> of a path leading to a node, not just the final node. I remember looking at >> the resolution process and seeing it walk up path. > > As I said above, listing child nodes in getNodes() will check the read > permission on each child node before including it. > > But for your use case it is not even necessary to separate the two > cases at all, since these are _different_ child nodes, IIUC. The one > with access is the user's node under /_user/foo, and all the others > under /_user (expressed by /_user/* in the resource based ACLs) are > not readable for the user: > > Node users = session.getNode("/_user"); // works > users.getNodes(); // returns only "/_user/foo" > session.getNode("/_user/foo"); // works, too > session.getNode("/_user/bar"); // no rights => PathNotFoundException > > Or am I missing something in your use case?
Yes, I am not explaining myself clearly. Sorry. /_user/aaa is jcr:read anon ... /_user/ieb is jcr:read anon ... /_user/zzz is jcr:read anon but when I do users.getNodes(); I want to see a list size 0 not a list size n. Its the entire list that must be protected. If I know the ID (aaa,ieb,zzz) I should be able to access it. If I know every singe ID, I should be able to access every URL, but I should not be able to discover all the IDs from the system. The ID's are Student IDs and under the Data Protection Act as interpreted by the University of Cambridge IDs are not listable by anyone, IIUC this is part of the privacy policy of the University. In the US the regulation is FERPA [1] and its interpretation by the institution. 1 http://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act > >> Let me do the work and validate is this is the case or not. (after all, I >> was the one asking the question, so I should be prepared to spend time >> checking a possible solution :)) > > Ok, hope it works out as a good solution for you! > > Regards, > Alex > > -- > Alexander Klimetschek > [email protected]
