Maybe I misunderstood Security.checkPermission(). I thought
checkPermission() can verify user access regardless of the user who gets the
instance of Security helper. It doesn't work as I thought. It seems like
there is a discrepancy between Security.checkPermission() and
Structure.retrieve().
When I get a NamespaceAccessToken, I use an empty string as the token.
token = Domain.accessNamespace(new SecurityToken(new String()), "slide");
Structure structure = token.getStructureHelper();
Security security = token.getSecurityHelper();
ActionNode read = (ActionNode) structure.retrieve(slideToken,
"/actions/read");
SubjectNode frank = (SubjectNode) structure.retrieve(slideToken,
"/users/eric-users/frank");
ObjectNode folder3 = structure.retrieve(slideToken,
"/files/eric/resources/folder1/folder2/folder3");
security.checkPermission(folder3, frank, read); // <- NO Exception!!
When I call security.checkPermission(folder3, frank, read), no exception is
thrown.
However, if I try to retrieve folder3 using a SlideToken that represents
frank, I got AccessDeniedException.
SlideToken frankToken = new SlideTokenImpl(new CredentialsToken(new
String("frank")));
structure.retrieve(frankToken,
"/files/eric/resources/folder1/folder2/folder3");
Is it a bug?
--
Willie Vu
> -----Original Message-----
> From: Willie Vu [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 23, 2003 12:10
> To: 'Slide Users Mailing List'
> Subject: RE: Question on permission setting
>
>
> Here is a sample node tree. Permissions are listed in square
> brackets. Notice that
> /files/eric/resources/folder1/folder2/folder3 is granted
> /actions/read to /users/eric-groups/egg only. When I call
> security.checkPermission(folder3, frank, read), why isn't
> AllowedDeniedException thrown?
>
> Root : / [(/-root-/actions-true) ]
> Child : /users []
> Child : /users/root []
> Child : /users/eric []
> Child : /users/eric-users []
> Child : /users/eric-users/frank []
> Child : /users/eric-users/eggYoug []
> Child : /users/eric-groups []
> Child : /users/eric-groups/egg []
> Child : /users/eric-groups/egg/eggYoug []
> Child : /actions []
> Child : /actions/read []
> Child : /actions/write []
> Child : /actions/manage []
> Child : /files []
> Child : /files/eric [(/files/eric-/users/eric-/actions-true)
> ] Child : /files/eric/resources [] Child :
> /files/eric/resources/folder1 [] Child :
> /files/eric/resources/folder1/folder2 [] Child :
> /files/eric/resources/folder1/folder2/folder3
> [(/files/eric/resources/folder1/folder2/folder3-+/users/eric-g
roups/egg-/act
> ions/read-false) ]
> Child :
> /files/eric/resources/folder1/folder2/folder3/file3.txt []
> Child : /files/eric/resources/folder1/folder2/file2.txt []
> Child : /files/eric/resources/folder1/file1.txt [] Closing
> data sources
> java.lang.AssertionError: frank should not be allowed to
> access folder3
> at Test.main(Test.java:88)
>
>
>
> --
> Willie Vu
>
>
>
> > -----Original Message-----
> > From: Willie Vu [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, January 23, 2003 11:19
> > To: [EMAIL PROTECTED]
> > Subject: Question on permission setting
> >
> >
> > I want to setup permissions so that:
> >
> > 1. each user (say John) has his own /files/<user name>
> > directory. Only he and root has write permission. 2. John is
> > allowed to grant read permission to other users (say Mary).
> > 3. The number of users who can share directories are dynamic.
> > So, new users (Joe, Peter) will be created after permissions
> > are set up.
> >
> > The namespace looks like this:
> >
> > /
> > - files
> > -- john (root and john has read/write permission; mary has
> > read permission)
> > - users
> > -- root
> > -- john
> > -- mary
> >
> > More users will be created in the future. I want to make
> > sure no new users have read permission to /files/john. So, I
> > tried adding a negative permission to /files/john, i.e.
> > (/files/john, /users, /actions/read, negative). The problem
> > is that even john and root has no read permission to
> > /files/john. The reason is that If Slide finds a permission
> > conflict on the same node, the negative permission prevails.
> > I have do not specify permission explicitly, it seems like
> > everyone has /actions/read to /files/john.
> >
> > My question is, how do I setup permissions so that a node is
> > only readable by persons whom are granted /actions/read
> > explicitly and no one else, including new users, have
> > /actions/read to the node?
> >
> >
> > --
> > Willie Vu
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > For
> > additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For
> additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
