On 8 March 2013 19:52, Carsten Ziegeler <cziege...@apache.org> wrote:
> 2013/3/8 Ian Boston <i...@tfd.co.uk>:
> sources are navigable.
>>
>> eg
>> /a is managed by a JCR Resource Provider wrapped in a
>> ResourceProviderDecorator
>>
>> /a/b/c/d/e/f is denied by the ResourceProviderDecorator (eg Timed ACL)
>> /a/b/c/d/e is allowed by the ResourceProviderDecorator
>>
>> Node n = resourceResolver.getResource("/a/b/c/d/e").adaptTo(Node.class);
>>
>> ... 20 lines of code ...
>>
>> Node breach = n.getChild("f");
>>
> I think Bertrand summarized it very well in his recent post - you
> wouldn't implement ACL checks for JCR with this, but for resource
> providers not having ACLs - and in that case you probably don't have
> an adaption mechanism to an object which allows you tree traversal, so
> there is no Node equivalent.
I'm ok with all the decorators if the guidance is rephrased:
"If the system the ResourceProvider provides Resources from implements
and exposes tree traversal via an adaption mechanism it is the
responsibility of the ResourceProvider or underlying system to
implement an appropriate level of security."
(by implication, if the implementor of the ResourceProvider chooses to
ignore the guidance, on their head be it.)
I think that covers JCR and any other system that might expose objects
that are capable of tree traversal. They do exist.
Best Regards
Ian
