Anjan created SLING-3010:
----------------------------
Summary: Managing Permissions using Sling with Aggregate Privileges
Key: SLING-3010
URL: https://issues.apache.org/jira/browse/SLING-3010
Project: Sling
Issue Type: Bug
Components: API
Affects Versions: JCR Base 2.1.2
Reporter: Anjan
Priority: Minor
I am using Sling's REST interface to modify the permissions on a Node. I
noticed an issue.
The issue I am facing can be best explained by showing the curl commands I
executed and the output I received:
(1) Here is the initial set of privileges present on the node:
$ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json
{"test":{"principal":"test","denied":["jcr:versionManagement","jcr:read","jcr:modifyAccessControl","rep:write"],"order":0},"everyone":{"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1},"administrators":{"principal":"administrators","granted":["jcr:all"],"order":2}}
(2) Run the below command to grant all the privileges for "test" principal
$ curl -u admin:admin -FprincipalId=test
-Fprivilege@jcr:versionManagement=granted -Fprivilege@jcr:read=granted
-Fprivilege@jcr:modifyAccessControl=granted
-Fprivilege@jcr:nodeTypeManagement=granted -Fprivilege@jcr:write=granted
http://localhost:8080/content/pertest.modifyAce.json
(3) As you can see from the below output, "jcr:write" is still present under
"denied" privileges for "test" even though I granted all the privileges in the
previous command
$ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json
{"test":{"principal":"test","granted":["jcr:nodeTypeManagement","jcr:versionManagement","jcr:read","jcr:modifyAccessControl"],"denied":["jcr:write"],"order":0},"everyone":{"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1},"administrators":{"principal":"administrators","granted":["jcr:all"],"order":2}}
Initially I thought it's a bug in Jackrabbit, but after getting the
clarification from Jackrabbit forum, I think it might need to be corrected in
Sling.
Here is the link to the question I raised in Jackrabbit forum:
http://jackrabbit.510166.n4.nabble.com/Bug-or-intended-behavior-getAggregatePrivileges-td4659272.html
Potential fix:
In the class org.apache.sling.jcr.base.util.AccessControlUtil.java, there is a
private method with the below signature:
private static Set<String> disaggregateToPrivilegeNames(Privilege privilege) {}
Inside this method, there is a "for" loop
for (Privilege disaggregate : privileges) {
disaggregatedPrivilegeNames.add(disaggregate.getName());
}
If I modify the above snippet with the below code snippet, then the issue seems
to be resolved.
for (Privilege disaggregate : privileges) {
if(!disaggregate.isAggregate())
disaggregatedPrivilegeNames.add(disaggregate.getName());
}
Based on my initial testing the change seems to be working fine.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
