On 10.10.11 23:02, "Markus Joschko" <[email protected]> wrote:
>Hi, >In my repository I have a structure that has many deep branches. >Within these branches there are three different types of nodes. >Each type is maintained by another group of users. These groups can be >configured per branch >(it's a bit like in a file system where one group can only maintain >the folders and the other group only the files in a branch). > >Now the question is how to best handle the access control here. >I can: >- either add an ace to each and every node in the repository and pay >the price that I have to maintain a lot of them in case ownership of a >branch changes or subbranches are moved into different branches. >- find a way to hook into the accesscontrol mechanism of jackrabbit to >make this easier. So far I have failed to find a good way to do so. > I initially thought about introducing custom privileges that can be >used as markers and then extend the ACLProvider to take these >privileges also into account when calculating permissions. > However from looking at the code it seems to me, that custom >privileges can only be defined as aggregates of existing privileges >and then also the aggregate can not exist twice. I guess it is not a >good > idea to create artificial aggregates just to define new privileges. >- an alternative might be to create new accesscontrol entries that do >not only have path restrictions but also nodetype restrictions. >However that seems to be quite invasive and a lot of work. > >Any other ideas how to tackle that problem? Principal-based ACLs maybe? Alex -- Alexander Klimetschek Developer // Adobe (Day) // Berlin - Basel
