John Logan created SLING-8302:
---------------------------------
Summary: Sling Oak Restrictions - cannot apply allow permission
for child node creation.
Key: SLING-8302
URL: https://issues.apache.org/jira/browse/SLING-8302
Project: Sling
Issue Type: Bug
Components: Oak
Affects Versions: Oak Restrictions 1.0.2
Reporter: John Logan
I've run into a problem trying to get Sling permissions working for my use
case. The simple case I'm trying right now is to allow a user 'alice' to have
full access to all nodes at or below nodes with Sling resource type 'foo'.
Here's the test procedure I'm following:
# Fire up sling-starter 11 and log into the Composum browser as admin.
# Add a user 'alice'.
# Add permission jcr:read to '/' for alice so she can browse in Composum.
# Create a sling:Folder node '/content/data' with Sling resource type 'foo'.
# Create a sling:Folder node '/content/data/child1' with Sling resource type
'foo'.
# For the '/content/data' node, add a permission with principal 'alice', rule
'allow', privileges 'jcr:all', and restrictions
'sling:resourceTypesWithDescendants=foo'.
# In a separate browser, log in as alice and go to Composum.
# As alice, try to create the node '/content/data/child2'.
*Expected:* User 'alice' can create the node.
*Actual:* The Composum "Create New Node" dialog displays the error "Error 400
javax.jcr.AccessDeniedException: OakAccess0000: Access denied" and the node is
not created.
If I check effective permissions in Composum for /content/data and
/content/data/child1, I see that 'alice' does receive jcr:all for both nodes.
Further, I can perform this check either as admin or alice, whereas I cannot
look at permissions on /content as alice.
If I try the Sling POST servlet as alice to create the node, I get a different
exception "org.apache.sling.api.resource.PersistenceException: Resource at
'/content/data/foo' is not modifiable."
[~henzlerg] duplicated the issue and provided the following explanation:
_I had a look and I could reproduce. I have used this module to hide existing
nodes (denies), that's why I've never run into it._
_The root cause is that for the create case, not only [1] but also [2] gets
called (since there is no tree available). ResourceTypePattern [3] always
returns false in the same way as oak ootb NodeTypePattern [4]. So I'm not sure
if we can even solve this, but I'd like to try, please create an issue in JIRA
for this._
_[1]
[https://github.com/apache/jackrabbit-oak/blob/64a7e291c8dfd32ef36648ace0b0c6ee80780e2d/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java#L40]_
_[2]
[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java#L50]_
_[3]
[https://github.com/apache/sling-org-apache-sling-oak-restrictions/blob/8574518f43969db9e4f8bbeb4e825d6d05ee41f8/src/main/java/org/apache/sling/oak/restrictions/impl/ResourceTypePattern.java#L150]_
_[4]
[https://github.com/apache/jackrabbit-oak/blob/dc43f39e3203561542640218d2ec9a39c846ff2f/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L54]_
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
