[ https://issues.apache.org/jira/browse/SLING-11160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499369#comment-17499369 ]
Angela Schreiber edited comment on SLING-11160 at 3/1/22, 8:05 AM: ------------------------------------------------------------------- [~bdelacretaz], I am equally fine with that and will adjust my patches accordingly. btw: i don't think that variant {code} remove repository ACL for user1,user2 allow jcr:read,jcr:lockManagement deny jcr:write end {code} is needed as it can be represented as follows: {code} remove ACL for user1,user2 allow jcr:read,jcr:lockManagement on :repository deny jcr:write on :repository end {code} I would also suggest to leave out the _aclOptions_ defined with the setter methods. they have never been implemented and i don't see need for it. regarding _remove *_: i would leave that as it is for backwards compatibility but not adding a corresponding variant to the new remove_acl operations. after all it's easier to drop the entire policy using _delete acl_ in this case instead of removing all entries and leaving an empty policy. was (Author: anchela): [~bdelacretaz], I am equally fine with that and will adjust my patches accordingly. btw: i don't think that variant {code} remove repository ACL for user1,user2 allow jcr:read,jcr:lockManagement deny jcr:write end {code} is needed as it can be represented as follows: {code} remove ACL for user1,user2 allow jcr:read,jcr:lockManagement on :repository deny jcr:write on :repository end {code} I would also suggest to leave out the _aclOptions_ defined with the setter methods. they have never been implemented and i don't see need for it. > Repoinit does not allow to remove individual ACEs > ------------------------------------------------- > > Key: SLING-11160 > URL: https://issues.apache.org/jira/browse/SLING-11160 > Project: Sling > Issue Type: Bug > Components: Repoinit > Reporter: Angela Schreiber > Assignee: Angela Schreiber > Priority: Major > Attachments: SLING-11160-initial-draft.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With SLING-9090 support for using _REMOVE *_ for all entries at a given path > or for a given principal has been implemented. > However as indicated in the same issue the intended usage of _REMOVE > some-thing-specific_ is not clear. > What is therefore missing with repo-init is the ability to remove a single > access control entry that matches > - prinicipal > - privileges > - allow-status > - single value restriction > - mv restrictions. > As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY > are mutually exclusive as the other params listed above can be extracted from > a given AclLine in combination with the set-ACL statement. > This could be fixed by adjusting the following parser method > {code} > AclLine privilegesLineOperation() : > {} > { > ( > <REMOVE> { return new AclLine(AclLine.Action.REMOVE); } > | ( <ALLOW> { return new AclLine(AclLine.Action.ALLOW); } ) > | ( <DENY> { return new AclLine(AclLine.Action.DENY); } ) > ) > } > {code} > such that > - REMOVE is optional, followed by > - ALLOW or DENY > The {{AclLine}} would then need to be slightly adjusted such that REMOVE can > be combined with either ALLOW or DENY. > Otherwise, I don't see how > {{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be > implemented in org.apache.sling.jcr.repoinit for a single ACE. > Or maybe the intention was something different in the first place? > [~bdelacretaz], I would appreciate if you had time to comment on this. > cc: [~kpauls], [~cziegeler] -- This message was sent by Atlassian Jira (v8.20.1#820001)