[jira] [Reopened] (SLING-2600) Effective ACL servlet returns incorrect information

Mon, 08 Oct 2012 07:46:04 -0700 

     [ 
https://issues.apache.org/jira/browse/SLING-2600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dan Freeman reopened SLING-2600:
--------------------------------


Thanks for looking into this. For the given use case, the fix in revision 
1395204 does the job, but there seem to be few edge cases that still need 
attention.

If, for instance, I add the following to the example in the original 
description:

/base/child
   principalA - jcr:write=denied

Requesting /base/child.eacl.json will return the following:

{
    "principalA": {
        "denied": [
            "jcr:write"
        ],
        "granted": [
            "jcr:write"
        ],
        "order": 1,
        "principal": "principalA"
    },
    "principalB": {
        "granted": [
            "jcr:lockManagement",
            "jcr:write"
        ],
        "order": 0,
        "principal": "principalB"
    }
}

The ACL for principalB is now being correctly resolved, but the output for 
principalA is ambiguous. Again, thank you for your time.
                
> Effective ACL servlet returns incorrect information
> ---------------------------------------------------
>
>                 Key: SLING-2600
>                 URL: https://issues.apache.org/jira/browse/SLING-2600
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>    Affects Versions: JCR Jackrabbit Access Manager 2.1.0
>            Reporter: Dan Freeman
>            Assignee: Eric Norman
>             Fix For: JCR Jackrabbit Access Manager 2.1.2
>
>
> The GetEffectiveAclServlet only appears to reflect the permissions on lowest 
> node in the requested hierarchy that has an ACL, rather than aggregating all 
> entries.
> Given, e.g., a node structure with the following privileges:
> /base
>   principalA - jcr:write=granted
>   principalB - jcr:write=granted
> /base/child
>   principalB - jcr:lockManagement=granted
> When requesting /base/child.eacl.json, the expected result would be that the 
> privileges granted to both principals on /base would be reflected, in 
> addition to those declared directly on /base/child.
> Instead, requests for /base/child.eacl.json and /base/child.acl.json both 
> return:
> {
>     "principalB": {
>         "granted": [
>             "jcr:lockManagement"
>         ],
>         "order": 0,
>         "principal": "principalB"
>     }
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to