On further investigation I can partially answer some of my question(s) * Version labelling is an admin-only function by default - but you can grant access controls to allow this for users that are not the admin-user * Having privileges on a resource does not correspond to any privileges on the corresponding version nodes being created in version history
* Support for non-admin users access to "label" items in version history can be achieved (with the default node-type definitions) by granting write access to jcr:system. This involves: 1) add mixin rep:AccessControllable to /jcr:system - without this attempts to add ACLs will not be possible - this isn't supported for /jcr:system/jcr:versionStorage or it's children in the default node-type definition. It may be customisable? 2) grant jcr:write privilege on /jcr:system for the principals that require it - weighing up the functionality gained by having non-admin version labelling vs any security issues with having broader access than default to /jcr:system -- Kevin Jansz [email protected] Level 7, 10-16 Queen Street, Melbourne 3000 Australia Tel +61 3 9621 2773 | Fax +61 3 9621 2776 Exari Systems Boston | London | Melbourne | Munich www.exari.com Test drive our software online - www.exari.com/demo-trial.html Read our blog on document assembly - blog.exari.com On 8 February 2011 16:39, Kevin Jansz <[email protected]> wrote: > > In a repository (versioning & security configured) > - a user can create a resource in an area where the ACLs allow it (say > "testuser" has jcr:all on /content/example) > - they can view the history of versions for the resource > - they hit an issue if they try to label a version (system code is > running javax.jcr.version.VersionHistory.addVersionLabel(String, > String, boolean) on behalf of the user) > - this hits an AccessDeniedException > - checking the ACLs in the versionStorage area > (/jcr:system/jcr:versionStorage/../../....) this is set to > - administrators have jcr:all > - everyone has jcr:read > this must be the default as this area has not had ACLs configured > - all attempts to edit ACLs on /jcr:system/jcr:versionStorage/ seem to > have no effect > > > I probably haven't described this well, but it seems I might be using > the methods in the wrong way ... in summary: > - is version labelling meant to be an administrators-only function? > - if not, it seems that having jcr:all on something that is > mix:versionable does not automatically mean you'll have > label (jcr:versionManagement or jcr:modifyProperties?) access to the > item's version history. Are there > recommendations/examples for how this can/should be configured? > > Regards, > Kevin > > -- > Kevin Jansz > [email protected] > Level 7, 10-16 Queen Street, Melbourne 3000 Australia > Tel +61 3 9621 2773 | Fax +61 3 9621 2776 > Exari Systems > Boston | London | Melbourne | Munich > www.exari.com > > Test drive our software online - www.exari.com/demo-trial.html > Read our blog on document assembly - blog.exari.com
