[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17629548#comment-17629548
]
Eric Norman commented on SLING-11243:
-
PR #16 fixes a problem where if any leaf privilege has different restrictions
than a contained aggregate parent privilege, then the parent should not be set
and the non-conflicting ancestors should be set instead to avoid an ambiguous
definition.
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.1.0
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17553144#comment-17553144
]
Eric Norman commented on SLING-11243:
-
PR #15 fixes a problem where modifying an ACE should not include a allow/deny
aggregate privilege when there is a deny/allow child privilege with the same
restrictions as the parent
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.1.0
>
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17541090#comment-17541090
]
Eric Norman commented on SLING-11243:
-
Merged PR #13 at:
[{{f65fae1}}|https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-accessmanager/commit/f65fae14eba63926e06f03140d0325a9b2a8b742]
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.1.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17540235#comment-17540235
]
Eric Norman commented on SLING-11243:
-
PR #13 fixes a problem related to merging of multivalue restriction values for
the effective ace json output
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.1.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17539056#comment-17539056
]
Eric Norman commented on SLING-11243:
-
PR #11 fixes a problem where a second modifyace post reverses the entry order
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.0.12
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17539004#comment-17539004
]
Eric Norman commented on SLING-11243:
-
PR #10 fixes redundant privileges contained in ACE when setting restriction
details for a privilege that is part of an already allowed aggregate
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.0.12
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17520312#comment-17520312
]
Eric Norman commented on SLING-11243:
-
PR #6 is now ready for review and feedback
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.0.12
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (SLING-11243) Allow modifying an ace with more specific restriction details
[
https://issues.apache.org/jira/browse/SLING-11243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17520026#comment-17520026
]
Eric Norman commented on SLING-11243:
-
Started Draft PR #6 with the work in progress. The functionality seems to
work, but it may need some final cleanup and additional test coverage before it
is ready to merge.
> Allow modifying an ace with more specific restriction details
> -
>
> Key: SLING-11243
> URL: https://issues.apache.org/jira/browse/SLING-11243
> Project: Sling
> Issue Type: New Feature
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.0.12
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Support for modifying an ace with more specific details to support advanced
> usage of privileges with restrictions.
> These are a few of the use cases:
> # Setting a restriction for a specific privilege instead of for all
> privileges
> # Removing a restriction from a specific privilege
> # Privilege can set for the 'allow' and 'deny' state at the same time if
> those have different restrictions
> # Privilege can be unset for 'allow' or 'deny' state while leaving the other
> state alone
>
> The proposal is to supporting these additional request parameters:
>
> {code:java}
> One param for each privilege to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> privilege@[privilege_name]@Delete
> One param for each restriction value. The same parameter name may be used
> again for multi-value restrictions. The @Allow or @Deny suffix specifies
> whether to apply the restriction to the 'allow' or 'deny' privilege. The
> value is the target value of the restriction to be set.
> restriction@[privilege_name]@[restriction_name]@Allow
> restriction@[privilege_name]@[restriction_name]@Deny
> One param for each restriction to delete. The parameter value must be either
> 'allow', 'deny' or 'all' to specify which state to delete from.
> restriction@[privilege_name]@[restriction_name]@Delete {code}
>
> For consistency, also extend the values allowed for the
> "privilege@[privilege_name]" parameter to accept 'allow' or 'deny' as aliases
> for 'granted' or 'denied'.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
