[
https://issues.apache.org/jira/browse/SLING-9953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17242135#comment-17242135
]
Angela Schreiber commented on SLING-9953:
-----------------------------------------
note: i have the impression that this actually not only applies to the target
service user home itself (e.g. a service user being granted access to its own
home node). it might go further if a given service user was granted access to
some other user/group home.... while this might not be super common, i suspect
that this was the reason for SLING-8586 that lead to the bogus intermediate
path creation (see SLING-9961).
if it is not possible during execution of the converter to determine the ID of
another user to properly construct the {{home(userId)subpath}} statements (the
name of the user node usually is an arbitrary string and doesn't reflect the
identifier), the converter either has to abort or log an error and omit the
entries that cannot be processed.
so: user/group nodes need to be identified as such and treated accordingly.
also note that the path to all user/group nodes is a configuration option in
Jackrabbit Oak that must not be hardcoded (unless the feature is designed to
only work with one specific application or setup.... in this case it this needs
to be documented).
> ACEs on/below user nodes are ignored upon conversion
> ----------------------------------------------------
>
> Key: SLING-9953
> URL: https://issues.apache.org/jira/browse/SLING-9953
> Project: Sling
> Issue Type: Bug
> Components: Content-Package to Feature Model Converter
> Reporter: Angela Schreiber
> Priority: Critical
> Fix For: Content-Package to Feature Model Converter 1.0.24
>
>
> I had a look at the cp-feature-model-converter in the light of SLING-9692 and
> found a surprising comment pointing to SLING-8561:
> {code}
> // clean the unneeded ACLs, see SLING-8561
> {code}
> code here:
> https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L146-L153
> what it does in fact is omit any kind of permission setup that is defined for
> the service users home node. that's quite a serious bug IMHO.... and on top
> of that unnecessary because Sling repo-init allows to define those kind of
> ACEs using the home(userid) notation (see
> https://sling.apache.org/documentation/bundles/repository-initialization.html)
> and btw: what does _unneeded ACLs_ mean? they are for sure not 'unneeded' and
> omitting them will essentially result in an invalid permission setup (and
> thus break the feature using the service login).
> cc: [~cziegeler], [~karlpauls], [~dsuess]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
