Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
Oak Restrictions 1.0.2
-
None
-
None
Description
I've run into a problem trying to get Sling permissions working for my use case. The simple case I'm trying right now is to allow a user 'alice' to have full access to all nodes at or below nodes with Sling resource type 'foo'. Here's the test procedure I'm following:
- Fire up sling-starter 11 and log into the Composum browser as admin.
- Add a user 'alice'.
- Add permission jcr:read to '/' for alice so she can browse in Composum.
- Create a sling:Folder node '/content/data' with Sling resource type 'foo'.
- Create a sling:Folder node '/content/data/child1' with Sling resource type 'foo'.
- For the '/content/data' node, add a permission with principal 'alice', rule 'allow', privileges 'jcr:all', and restrictions 'sling:resourceTypesWithDescendants=foo'.
- In a separate browser, log in as alice and go to Composum.
- As alice, try to create the node '/content/data/child2'.
Expected: User 'alice' can create the node.
Actual: The Composum "Create New Node" dialog displays the error "Error 400 javax.jcr.AccessDeniedException: OakAccess0000: Access denied" and the node is not created.
If I check effective permissions in Composum for /content/data and /content/data/child1, I see that 'alice' does receive jcr:all for both nodes. Further, I can perform this check either as admin or alice, whereas I cannot look at permissions on /content as alice.
If I try the Sling POST servlet as alice to create the node, I get a different exception "org.apache.sling.api.resource.PersistenceException: Resource at '/content/data/foo' is not modifiable."
henzlerg duplicated the issue and provided the following explanation:
I had a look and I could reproduce. I have used this module to hide existing nodes (denies), that's why I've never run into it.
The root cause is that for the create case, not only [1] but also [2] gets called (since there is no tree available). ResourceTypePattern [3] always returns false in the same way as oak ootb NodeTypePattern [4]. So I'm not sure if we can even solve this, but I'd like to try, please create an issue in JIRA for this.