[jira] [Commented] (SLING-9871) Specifying order of ACEs through repoinit directives

Mon, 15 Mar 2021 10:10:07 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17301784#comment-17301784
 ] 

Eric Norman commented on SLING-9871:
------------------------------------

[~bdelacretaz] Ok, well I don't really agree that an "order ACL" statement 
would be any more dangerous or "less simple" than assuming that the "set ACL" 
statements would be invoked in any specific order.  Re-ordering the ACEs has 
been done for many years by 
[https://sling.apache.org/documentation/bundles/content-loading-jcr-contentloader.html#acls-and-principals-1]
 and 
[https://sling.apache.org/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html#add-or-modify-permissions-1]
 and I haven't seen anyone report any concerns.

 

But, with that being said, I am not the original reporter of this issue and it 
isn't blocking any work for me at the moment.  I'm not motivated to continue to 
argue on the behalf of [~ashishc] when there has been no feedback or 
acknowledgment of the proposals.

> Specifying order of ACEs through repoinit directives
> ----------------------------------------------------
>
>                 Key: SLING-9871
>                 URL: https://issues.apache.org/jira/browse/SLING-9871
>             Project: Sling
>          Issue Type: Improvement
>          Components: Repoinit
>            Reporter: Ashish Chopra
>            Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to 
> this JIRA) collects {{create path}} statements and {{set ACL}} statements 
> declared in all the feature-models applicable to feature-aggregate under 
> consideration.
> Upon repository initialization, it applies all the {{create path}} 
> statements, followed by all the {{set ACL}} statements. However, the order in 
> which {{set ACL}} statements declared across feature models are applied isn't 
> defined (currently, it seems to be based on feature-model-name, 
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be 
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE, 
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to