Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-3010

Managing Permissions using Sling with Aggregate Privileges

    XMLWordPrintableJSON

Details

    Description

      I am using Sling's REST interface to modify the permissions on a Node. I noticed an issue.

      The issue I am facing can be best explained by showing the curl commands I executed and the output I received:

      (1) Here is the initial set of privileges present on the node:
      $ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json
      {"test":

      {"principal":"test","denied":["jcr:versionManagement","jcr:read","jcr:modifyAccessControl","rep:write"],"order":0}

      ,"everyone":

      {"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1}

      ,"administrators":{"principal":"administrators","granted":["jcr:all"],"order":2}}

      (2) Run the below command to grant all the privileges for "test" principal
      $ curl -u admin:admin -FprincipalId=test -Fprivilege@jcr:versionManagement=granted -Fprivilege@jcr:read=granted -Fprivilege@jcr:modifyAccessControl=granted -Fprivilege@jcr:nodeTypeManagement=granted -Fprivilege@jcr:write=granted http://localhost:8080/content/pertest.modifyAce.json

      (3) As you can see from the below output, "jcr:write" is still present under "denied" privileges for "test" even though I granted all the privileges in the previous command
      $ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json
      {"test":

      {"principal":"test","granted":["jcr:nodeTypeManagement","jcr:versionManagement","jcr:read","jcr:modifyAccessControl"],"denied":["jcr:write"],"order":0}

      ,"everyone":

      {"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1}

      ,"administrators":{"principal":"administrators","granted":["jcr:all"],"order":2}}

      Initially I thought it's a bug in Jackrabbit, but after getting the clarification from Jackrabbit forum, I think it might need to be corrected in Sling.

      Here is the link to the question I raised in Jackrabbit forum:

      http://jackrabbit.510166.n4.nabble.com/Bug-or-intended-behavior-getAggregatePrivileges-td4659272.html

      Potential fix:

      In the class org.apache.sling.jcr.base.util.AccessControlUtil.java, there is a private method with the below signature:

      private static Set<String> disaggregateToPrivilegeNames(Privilege privilege) {}

      Inside this method, there is a "for" loop

      for (Privilege disaggregate : privileges) {
      disaggregatedPrivilegeNames.add(disaggregate.getName());
      }

      If I modify the above snippet with the below code snippet, then the issue seems to be resolved.

      for (Privilege disaggregate : privileges) {
      if(!disaggregate.isAggregate())
      disaggregatedPrivilegeNames.add(disaggregate.getName());
      }

      Based on my initial testing the change seems to be working fine.

      Attachments

        Activity

          People

            enorman Eric Norman
            anjan Anjan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: