Hi Jorge
The code you are describing relies on an implementation detail and you are
right that it only works for administrative sessions. The reason for this is
that using a different user to read from the permission store would essentially
leak information that may not be accessible to that session.
Also you have to keep in mind that this code only read information for one
particular authorization model. If you Oak repository would for instance use
more than one model, you would miss the effect the other would have.
What you are probably looking for is
AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals)
this one would show the effective policies for a given set of principal taking
the access rights of the editing session into account. so, if a given Session
would not be allowed to read the access control setup at a given node or for a
given principal, this information will not leak.
Hope that helps
Angela
________________________________________
From: jorgeeflorez <jorgeeduardoflo...@gmail.com>
Sent: Thursday, April 25, 2019 4:39 PM
To: oak-dev@jackrabbit.apache.org
Subject: Retrieving permissions for user
Hello all,
I am giving maintenance to an application that uses Jackrabbit and Oak
(1.5.14). In that software someone wrote the following code to get all
permissions given to an user:
List<String> authPaths = new ArrayList<>();
permissionParent = "/jcr:system/rep:permissionStore/default/" +
principalName;
Node parent = session.getNode(permissionParent);
NodeIterator iter = parent.getNodes();
String path;
while (iter.hasNext()) {
Node current = iter.nextNode();
Property prop = current.getProperty("rep:accessControlledPath");
authPaths.add(prop.getString() );
}
this way in the user interface all paths are shown and when one is
selected, the privileges assigned can be shown.
The problem with this code, is that only works when it is executed by the
"admin" user (if I understood well, it is because the restricted access of
"/jcr:system/rep:permissionStore" as explained here
<https://jackrabbit.apache.org/oak/docs/security/permission/default.html>).
I need to display all paths with privileges assigned to an user, and I
think this is not possible using the methods described here
<https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html>,
because they receive a path as argument (maybe I am wrong). Is there a way
to achieve this (and that works for admin and all users with proper
permissions)?
Thanks in advance.
Best Regards.
Jorge Eduardo Flórez
