Hi
I might doing something wrong but I am running into issues with Sling resource
permissions. This is my setup:
- User: perm_17_user
- Group: perm_17_group
- Group: tenant_all
- User is part of both groups
- Everyone has read access to /
- Resource: /content/perm_17
- perm_17_group has jar:all granted
- tenant_all has jcr:all denied
Groups:
curl -u admin:admin http://localhost:8080/home/groups.2.json | jq
{
"jcr:primaryType": "rep:AuthorizableFolder",
"tenants": {
"jcr:primaryType": "rep:AuthorizableFolder",
"HDE3HZ3kFOirj8vCLpgj5": {
"jcr:primaryType": "rep:Group",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"jcr:createdBy": "admin",
"jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700",
"rep:principalName": "all_tenants",
"jcr:uuid": "c273e21f-1cf9-3f59-80e8-a760e7930b8d",
"rep:members": [
"3c23d2bf-61a4-3204-bde0-6a3e86d2d04b",
"42cd1880-d41d-3b27-ab4a-f0235da1715c",
"00344a23-f67d-3f6b-951e-71c2ae5e0482",
"ef43d954-cf0d-3d61-9ab2-b9a5259619c0",
"a197e96b-cf2b-3cbd-bab4-103bd0e1646d"
],
"rep:authorizableId": "all_tenants"
},
"QMRo8OL5zNSaHnA4zK4YV": {
"jcr:primaryType": "rep:Group",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"jcr:createdBy": "peregrine-service-user",
"jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700",
"rep:principalName": "perm_17_group",
"jcr:uuid": "a197e96b-cf2b-3cbd-bab4-103bd0e1646d",
"rep:members": [
"6e0b16ee-cdf4-3a65-9a22-951b7828ce52"
],
"rep:authorizableId": "perm_17_group"
},
Users:
curl -u admin:admin http://localhost:8080/home/users.2.json | jq
{
"jcr:primaryType": "rep:AuthorizableFolder",
"tenants": {
"jcr:primaryType": "rep:AuthorizableFolder",
"7G1VbW9W5bThqIYQRNFbH": {
"jcr:primaryType": "rep:User",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"jcr:createdBy": "peregrine-service-user",
"rep:password":
"{SHA-256}e6a0e743c84a57c9-1000-097a1bab311072202e27e03b4561b5238909a2426c708da982b85a5d78f02fba",
"jcr:created": "Thu Apr 23 2020 18:02:27 GMT-0700",
"rep:principalName": "perm_17_user",
"jcr:uuid": "6e0b16ee-cdf4-3a65-9a22-951b7828ce52",
"rep:authorizableId": "perm_17_user"
},
EACL List:
curl -u admin:admin http://localhost:8080/content/perm_17.eacl.json | jq
{
"perm_17_group": {
"principal": "perm_17_group",
"granted": [
"jcr:all"
],
"order": 0
},
"all_tenants": {
"principal": "all_tenants",
"denied": [
"jcr:all"
],
"order": 1
},
Finally when I list the resources in /content for user perm_17_user then it
will not list perm_17:
curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | jq
When I replace the group with the user to grant jcr:all then it does return
that resource:
curl -u perm_17_user:perm_17_user http://localhost:8080/content.1.json | jq
{
"jcr:primaryType": "sling:OrderedFolder",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"jcr:createdBy": "admin",
"jcr:created": "Thu Apr 23 2020 15:58:06 GMT-0700",
"nodejs": {
"jcr:primaryType": "sling:Folder",
"jcr:createdBy": "admin",
"jcr:title": "Sling Node Package Manager",
"jcr:created": "Thu Apr 23 2020 15:59:49 GMT-0700",
"jcr:description": "Sling Node Package Manager Content Root"
},
"perm_17": {
"jcr:primaryType": "per:Site",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"jcr:title": "perm_17",
"template": false,
"sourceSite": "themecleanflex",
"internal": false
This looks like the group membership of the user is not checked against the
group.
Is there anything I do wrong, it this a known issue or a bug?
Cheers - Andy Schaefer
