[ https://issues.apache.org/jira/browse/OAK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17024307#comment-17024307 ]
Kunal Shubham commented on OAK-8855: ------------------------------------ [~angela] Here's explanation about some parts of the test case: {quote}Tree cugPolicyNode = root.getTree("/content/a/rep:cugPolicy"); cugPolicyNode.removeProperty(HIDDEN_NESTED_CUGS);{quote} Remove :nestedCugs from /content/a/rep:cugPolicy. I have verified with the assertNestedCugs(root, getRootProvider(), "/content/a", true, "/content/a/b1", "/content/a/b2") statement that indeed *we are able to remove :nestedCugs with this API.* Please correct me if I am wrong but there are several places where hidden properties are read/added/removed, [1] and [2] being examples. {quote}PropertyState ps1 = PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES, ImmutableSet.of(TEST_GROUP_ID), Type.STRINGS); PropertyState ps2 = PropertyStates.createProperty(CugConstants.REP_PRINCIPAL_NAMES, ImmutableSet.of(TEST_GROUP2_ID), Type.STRINGS); root.getTree("/content/a/b1/rep:cugPolicy").setProperty(ps1); root.getTree("/content/a/b2/rep:cugPolicy").setProperty(ps2); root.commit(); // should restore :nestedCugs in "/content/a/rep:cugPolicy"{quote} The intent here is to "touch" the children nodes b1 and b2 so that these nodes are also considered to be modified, so that :nestedCugs on /content/a/rep:cugPolicy can be reconstructed. In reality the property rep:principalNames are overwritten but not changed. The intention was not to add principals on these nodes again but to get them considered for modification by the NestedCugHook. I could not find a better API for this job so I just reassigned the users to the nodes. Please note that b1 and b2 need to be "touched" so that the :nestedCugs can be reconstructed on /content/a/rep:cugPolicy. I hope it makes sense. Any suggestion for improvement on this step will be appreciated!! After this, the permissions of a user on different nodes are verified. Please also refer to my first comment [3] which explains more about this. {quote}i would appreciate if you could explain/rework the test class. {quote} The existing setup of nodes, users and groups defined in *AbstractCugTest.java* did not allow me to test out this specific scenario. For example, * I needed a group which contains two users (both non-admin). * I needed a node (non-root) which contains two child node. That's why I thought it reasonable to add another test class, and define *setupNestedCugsAndAcls()* which creates the node structure and groups that I required. {quote}the names sound super generic but you have a very specific case instead. {quote} For naming, I think *"NestedCugPermissionTest.java"* is more fitting. [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java#L81-83|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugUtil.java#L81] [2] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/NestedCugHook.java#L114] [3] https://issues.apache.org/jira/browse/OAK-8855?focusedCommentId=17015025&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17015025 > Permission evaluation of nodes broken after :nestedCug removed from parent > node > ------------------------------------------------------------------------------- > > Key: OAK-8855 > URL: https://issues.apache.org/jira/browse/OAK-8855 > Project: Jackrabbit Oak > Issue Type: Bug > Components: authorization-cug > Affects Versions: 1.8.7 > Reporter: Kunal Shubham > Assignee: Angela Schreiber > Priority: Major > Attachments: 0001-Fix-nestedcug-permission-issue.patch, > OAK-8855_backport.patch > > > Steps to Reproduce: > # Create a node 'a' which has two children nodes 'b1' and 'b2'. The content > tree looks as shown: /content/a/b1, /content/a/b2. Create two users user1 and > user2. > # Apply CUG policy on /content/a. > ** Authorize user1 and user2 to read /content/a. > ** Authorize user1 to read /content/a/b1. > ** Authorize user2 to read /content/a/b2. > # Remove :nestedCugs property from /content/a/rep:cugPolicy. > # Create a content session, login with user2. Try to read /content/a/b1. > *Observed behavior* : user2 is able to read /content/a/b1. > *Expected behavior* : user2 should not be able to read /content/a/b1 as it is > unauthorized to do so. > Please note that :nestedCugs is removed by a mechanism which completely > overwrites content tree below "/content/a". -- This message was sent by Atlassian Jira (v8.3.4#803005)