[jira] [Commented] (SLING-11233) Change ACL json structure to be less ambiguous for restrictions

Wed, 30 Mar 2022 01:57:07 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-11233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17514550#comment-17514550
 ] 

Bertrand Delacretaz commented on SLING-11233:
---------------------------------------------

>From what you're writing I'm starting to understand that this is an _output_ 
>format. I initially thought it was an _input_ format.

I agree with you that the repoinit syntax is not useful as an output format.

I should have checked earlier, sorry for the noise!

> Change ACL json structure to be less ambiguous for restrictions
> ---------------------------------------------------------------
>
>                 Key: SLING-11233
>                 URL: https://issues.apache.org/jira/browse/SLING-11233
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Eric Norman
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: JCR Jackrabbit Access Manager 3.0.12
>
>
> The restriction details in the ACL json can be ambiguous in some situations.
> For example, in the example below it is not clear if the "rep:glob" 
> restriction applies to the "jcr:read" privilege or the "rep:write" privilege.
>  
> {code:java}
> {
>   "user1":{
>     "principal":"user1",
>     "granted":[
>       "jcr:read"
>     ],
>     "denied":[
>       "rep:write"
>     ],
>     "order":0,
>     "restrictions":{
>       "rep:glob":"glob1"
>     }
>   }
> } {code}
>  
>  
> Expected:
> The JSON structure of the ACE should be enhanced to make it more clear. 
> For example, replace the "granted/denied/restrictions" items with a 
> "privileges" structure whose items are the granted or denied privileges.  
> Each privilege has a "deny" and/or "grant" child whose value is either true 
> (no restrictions) or an array of restrictions + values.
> For example:
>  
> {code:java}
> {
>   "user1":{
>     "principal":"user1",
>     "order":0,
>     "privileges":{
>       "jcr:read":{
>         "allow":{
>           "rep:glob":"glob1"
>         }
>       },
>       "jcr:readAccessControl":{
>         "allow":{
>           "rep:itemNames":[
>             "name1",
>             "name2"
>           ]
>         }
>       },
>       "rep:write":{
>         "deny":true
>       }
>     }
>   }
> } {code}
> The new format should also be flexible enough to describe a privilege that is 
> granted and denied with different restrictions for each of those states.  
> That scenario is impossible to describe in the old format.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to