[jira] [Commented] (SLING-10127) Keep modified content packages of type "content"

Wed, 10 Mar 2021 23:43:06 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-10127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299381#comment-17299381
 ] 

Angela Schreiber commented on SLING-10127:
------------------------------------------

[~kwin], thanks for highlighting that. very good point. in fact if content 
packages are installed as originally defined the effect of 'enforce 
principal-based ac-setup would actually be destroyed if the content packages 
comes with an import-mode that moves the existing service users.

[~kpauls], i think we briefly touched this topic while fixing security issues 
with the converter but somehow assume that this is already the case. if it's 
not as [~kwin] reports this would need to be addressed. wdyt?

> Keep modified content packages of type "content"
> ------------------------------------------------
>
>                 Key: SLING-10127
>                 URL: https://issues.apache.org/jira/browse/SLING-10127
>             Project: Sling
>          Issue Type: Improvement
>          Components: Feature Model
>    Affects Versions: Content-Package to Feature Model Converter 1.0.24
>            Reporter: Konrad Windszus
>            Priority: Major
>
> Currently in 
> https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/a21667f65a2bd503bd752c3cc6fb842caac90d90/src/main/java/org/apache/sling/feature/cpconverter/ContentPackage2FeatureModelConverter.java#L343
>  all generated/modified content packages of type "content" are just 
> disregarded.
> If you have as input a content package of type "content" containing ACLs on 
> mutable nodes, system users and arbitrary other mutable nodes, the first two 
> are correctly extracted into a feature model but the content package is not 
> modified, leading to the fact that the ACLs and system users are still 
> contained in the content package.
> IMHO a modified content-package should be given out (and kept) as that one 
> differs from the input content package!
> Otherwise you would try to install system users/ACLs again when installing 
> the content package which might fail due to missing rights...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to