[jira] [Commented] (SLING-9090) AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr implementation

Mon, 02 Mar 2020 00:04:25 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-9090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17048856#comment-17048856
 ] 

Mohit Arora commented on SLING-9090:
------------------------------------

[~bdelacretaz], [~angela] We do have a usecase for remove functionality. Right 
now, it silently converts the {{remove}} action into {{deny}} which is not 
something one would expect while using the feature. Although I do see SLING 
documentation [0] mentioning {{remove is currently not supported by the 
jcr.repoinit module}}, it does not mention that {{remove}} is being converted 
to {{deny}} under the hood.

We have a deadline for a feature release and to avoid a security issue we are 
currently using {{remove ACL}} in our feature model which is adding {{deny}} 
for the service user on specified path. We would not want it to fail with an 
error as it is currently supported (albeit performing wrongly, but supported, 
nevertheless). It would indeed be beneficial to have proper implementation of 
{{remove}} such that existing usages do not need any change. For existing 
implementation, they would continue adding deny ACE and for new implementation, 
they will simply remove the ACE from specified path if present. If not present, 
it should silently abort.

cc - [~shgupta], [~ashishc]

[0] 
https://sling.apache.org/documentation/bundles/repository-initialization.html

> AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr 
> implementation
> -------------------------------------------------------------------------------------
>
>                 Key: SLING-9090
>                 URL: https://issues.apache.org/jira/browse/SLING-9090
>             Project: Sling
>          Issue Type: Bug
>          Components: Repoinit
>            Reporter: Angela Schreiber
>            Priority: Major
>
> [~bdelacretaz], while the documentation and the parser code provides the 
> ability to remove an individual or all access control entries, it seems the 
> JCR implementation doesn't actually support it.
> using it may lead to odd side effects or failures.... so, i think either the 
> parser should remove the support for Action.REMOVE and Action.REMOVE_ALL or 
> the jcr implementation part should respect it... at the very minimum it 
> should spot any usage of it and fail the repo-init if there is no way to 
> implement it properly. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to