[ https://issues.apache.org/jira/browse/SLING-11160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496949#comment-17496949 ]
Angela Schreiber commented on SLING-11160: ------------------------------------------ hi [~bdelacretaz], [~kpauls], [~cziegeler], attached an initial draft on how that could be addressed.... jcr-repoinit only partially implemented, not tested and some tests would fail because REMOVE-something is implemented instead of throwing. didn't want to invest a ton of time as long as we didn't have an agreement on how to fix that. so rather an initial basis for the discussion and feasibility. wdyt? > Repoinit does not allow to remove individual ACEs > ------------------------------------------------- > > Key: SLING-11160 > URL: https://issues.apache.org/jira/browse/SLING-11160 > Project: Sling > Issue Type: Bug > Components: Repoinit > Reporter: Angela Schreiber > Priority: Major > Attachments: SLING-11160-initial-draft.patch > > > With SLING-9090 support for using _REMOVE *_ for all entries at a given path > or for a given principal has been implemented. > However as indicated in the same issue the intended usage of _REMOVE > some-thing-specific_ is not clear. > What is therefore missing with repo-init is the ability to remove a single > access control entry that matches > - prinicipal > - privileges > - allow-status > - single value restriction > - mv restrictions. > As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY > are mutually exclusive as the other params listed above can be extracted from > a given AclLine in combination with the set-ACL statement. > This could be fixed by adjusting the following parser method > {code} > AclLine privilegesLineOperation() : > {} > { > ( > <REMOVE> { return new AclLine(AclLine.Action.REMOVE); } > | ( <ALLOW> { return new AclLine(AclLine.Action.ALLOW); } ) > | ( <DENY> { return new AclLine(AclLine.Action.DENY); } ) > ) > } > {code} > such that > - REMOVE is optional, followed by > - ALLOW or DENY > The {{AclLine}} would then need to be slightly adjusted such that REMOVE can > be combined with either ALLOW or DENY. > Otherwise, I don't see how > {{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be > implemented in org.apache.sling.jcr.repoinit for a single ACE. > Or maybe the intention was something different in the first place? > [~bdelacretaz], I would appreciate if you had time to comment on this. > cc: [~kpauls], [~cziegeler] -- This message was sent by Atlassian Jira (v8.20.1#820001)