John Logan created SLING-8302: --------------------------------- Summary: Sling Oak Restrictions - cannot apply allow permission for child node creation. Key: SLING-8302 URL: https://issues.apache.org/jira/browse/SLING-8302 Project: Sling Issue Type: Bug Components: Oak Affects Versions: Oak Restrictions 1.0.2 Reporter: John Logan
I've run into a problem trying to get Sling permissions working for my use case. The simple case I'm trying right now is to allow a user 'alice' to have full access to all nodes at or below nodes with Sling resource type 'foo'. Here's the test procedure I'm following: # Fire up sling-starter 11 and log into the Composum browser as admin. # Add a user 'alice'. # Add permission jcr:read to '/' for alice so she can browse in Composum. # Create a sling:Folder node '/content/data' with Sling resource type 'foo'. # Create a sling:Folder node '/content/data/child1' with Sling resource type 'foo'. # For the '/content/data' node, add a permission with principal 'alice', rule 'allow', privileges 'jcr:all', and restrictions 'sling:resourceTypesWithDescendants=foo'. # In a separate browser, log in as alice and go to Composum. # As alice, try to create the node '/content/data/child2'. *Expected:* User 'alice' can create the node. *Actual:* The Composum "Create New Node" dialog displays the error "Error 400 javax.jcr.AccessDeniedException: OakAccess0000: Access denied" and the node is not created. If I check effective permissions in Composum for /content/data and /content/data/child1, I see that 'alice' does receive jcr:all for both nodes. Further, I can perform this check either as admin or alice, whereas I cannot look at permissions on /content as alice. If I try the Sling POST servlet as alice to create the node, I get a different exception "org.apache.sling.api.resource.PersistenceException: Resource at '/content/data/foo' is not modifiable." [~henzlerg] duplicated the issue and provided the following explanation: _I had a look and I could reproduce. I have used this module to hide existing nodes (denies), that's why I've never run into it._ _The root cause is that for the create case, not only [1] but also [2] gets called (since there is no tree available). ResourceTypePattern [3] always returns false in the same way as oak ootb NodeTypePattern [4]. So I'm not sure if we can even solve this, but I'd like to try, please create an issue in JIRA for this._ _[1] [https://github.com/apache/jackrabbit-oak/blob/64a7e291c8dfd32ef36648ace0b0c6ee80780e2d/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java#L40]_ _[2] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java#L50]_ _[3] [https://github.com/apache/sling-org-apache-sling-oak-restrictions/blob/8574518f43969db9e4f8bbeb4e825d6d05ee41f8/src/main/java/org/apache/sling/oak/restrictions/impl/ResourceTypePattern.java#L150]_ _[4] [https://github.com/apache/jackrabbit-oak/blob/dc43f39e3203561542640218d2ec9a39c846ff2f/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L54]_ -- This message was sent by Atlassian JIRA (v7.6.3#76005)