[ https://issues.apache.org/jira/browse/SLING-9090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17048856#comment-17048856 ]
Mohit Arora commented on SLING-9090: ------------------------------------ [~bdelacretaz], [~angela] We do have a usecase for remove functionality. Right now, it silently converts the {{remove}} action into {{deny}} which is not something one would expect while using the feature. Although I do see SLING documentation [0] mentioning {{remove is currently not supported by the jcr.repoinit module}}, it does not mention that {{remove}} is being converted to {{deny}} under the hood. We have a deadline for a feature release and to avoid a security issue we are currently using {{remove ACL}} in our feature model which is adding {{deny}} for the service user on specified path. We would not want it to fail with an error as it is currently supported (albeit performing wrongly, but supported, nevertheless). It would indeed be beneficial to have proper implementation of {{remove}} such that existing usages do not need any change. For existing implementation, they would continue adding deny ACE and for new implementation, they will simply remove the ACE from specified path if present. If not present, it should silently abort. cc - [~shgupta], [~ashishc] [0] https://sling.apache.org/documentation/bundles/repository-initialization.html > AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr > implementation > ------------------------------------------------------------------------------------- > > Key: SLING-9090 > URL: https://issues.apache.org/jira/browse/SLING-9090 > Project: Sling > Issue Type: Bug > Components: Repoinit > Reporter: Angela Schreiber > Priority: Major > > [~bdelacretaz], while the documentation and the parser code provides the > ability to remove an individual or all access control entries, it seems the > JCR implementation doesn't actually support it. > using it may lead to odd side effects or failures.... so, i think either the > parser should remove the support for Action.REMOVE and Action.REMOVE_ALL or > the jcr implementation part should respect it... at the very minimum it > should spot any usage of it and fail the repo-init if there is no way to > implement it properly. -- This message was sent by Atlassian Jira (v8.3.4#803005)