[ https://issues.apache.org/jira/browse/SLING-5768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15321870#comment-15321870 ]
ASF GitHub Bot commented on SLING-5768: --------------------------------------- GitHub user ghenzler opened a pull request: https://github.com/apache/sling/pull/145 SLING-5768 Introduce rep:slingResourceTypes Introduce rep:slingResourceTypes as extension to Oak permission system You can merge this pull request into a Git repository by running: $ git pull https://github.com/ghenzler/sling feature/SLING-5768-oak-restriction-for-resourcetype Alternatively you can review and apply these changes as the patch at: https://github.com/apache/sling/pull/145.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #145 ---- commit 93f06a04a85dad36623881a7b5d7056c1f1f8693 Author: georg.henzler <georg.henz...@netcentric.biz> Date: 2016-06-09T04:35:29Z SLING-5768 Introduce rep:slingResourceTypes as extension to Oak permission system ---- > Introduce rep:slingResourceTypes as extension to Oak permission system > ---------------------------------------------------------------------- > > Key: SLING-5768 > URL: https://issues.apache.org/jira/browse/SLING-5768 > Project: Sling > Issue Type: New Feature > Components: Extensions > Reporter: Georg Henzler > > Oak allows to extend its permissions management by using custom restrictions > \[1], also the standard oak restrictions are based on this and are > implemented in a fairly straight-forward way \[2] (example is for > rep:ntNames). > It would be nice to have sling level restrictions using sling properties in > general. This issue is about introducing a restriction on resource types - > the following should be possible: > {code} > - /content/mynode > - rep:policy (rep:ACL) > - allow (rep:GrantACE) > + principalName (String) = "myAuthorizable" > + rep:privileges (Name[]) = "rep:write" > - rep:restrictions (rep:Restrictions) > + rep:slingResourceTypes (String[]) = > [myproj/resourcetype1,myproj/resourcetype2] > {code} > The example would only grant "rep:write" for the resource types > myproj/resourcetype1 and myproj/resourcetype2 in path /content/mynode, other > resources under path /content/mynode would not have "rep:write" permissions. > See github PR for a first simple implementation (adding a bundle > org.apache.sling.sling-oak-restrictions to contributions, not sure if this is > the best spot). > \[1] > https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Pluggability > \[2] > https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L50) > https://github.com/apache/jackrabbit-oak/blob/cea167f5bf70d818d58b1ffcc6bc65b3c0f9a5a4/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java -- This message was sent by Atlassian JIRA (v6.3.4#6332)