[ https://issues.apache.org/jira/browse/SLING-11233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17514550#comment-17514550 ]
Bertrand Delacretaz commented on SLING-11233: --------------------------------------------- >From what you're writing I'm starting to understand that this is an _output_ >format. I initially thought it was an _input_ format. I agree with you that the repoinit syntax is not useful as an output format. I should have checked earlier, sorry for the noise! > Change ACL json structure to be less ambiguous for restrictions > --------------------------------------------------------------- > > Key: SLING-11233 > URL: https://issues.apache.org/jira/browse/SLING-11233 > Project: Sling > Issue Type: Improvement > Reporter: Eric Norman > Assignee: Eric Norman > Priority: Major > Fix For: JCR Jackrabbit Access Manager 3.0.12 > > > The restriction details in the ACL json can be ambiguous in some situations. > For example, in the example below it is not clear if the "rep:glob" > restriction applies to the "jcr:read" privilege or the "rep:write" privilege. > > {code:java} > { > "user1":{ > "principal":"user1", > "granted":[ > "jcr:read" > ], > "denied":[ > "rep:write" > ], > "order":0, > "restrictions":{ > "rep:glob":"glob1" > } > } > } {code} > > > Expected: > The JSON structure of the ACE should be enhanced to make it more clear. > For example, replace the "granted/denied/restrictions" items with a > "privileges" structure whose items are the granted or denied privileges. > Each privilege has a "deny" and/or "grant" child whose value is either true > (no restrictions) or an array of restrictions + values. > For example: > > {code:java} > { > "user1":{ > "principal":"user1", > "order":0, > "privileges":{ > "jcr:read":{ > "allow":{ > "rep:glob":"glob1" > } > }, > "jcr:readAccessControl":{ > "allow":{ > "rep:itemNames":[ > "name1", > "name2" > ] > } > }, > "rep:write":{ > "deny":true > } > } > } > } {code} > The new format should also be flexible enough to describe a privilege that is > granted and denied with different restrictions for each of those states. > That scenario is impossible to describe in the old format. > -- This message was sent by Atlassian Jira (v8.20.1#820001)