Affects Version/s: Oak Restrictions 1.0.2
Fix Version/s: None
I've run into a problem trying to get Sling permissions working for my use case. The simple case I'm trying right now is to allow a user 'alice' to have full access to all nodes at or below nodes with Sling resource type 'foo'. Here's the test procedure I'm following:
- Fire up sling-starter 11 and log into the Composum browser as admin.
- Add a user 'alice'.
- Add permission jcr:read to '/' for alice so she can browse in Composum.
- Create a sling:Folder node '/content/data' with Sling resource type 'foo'.
- Create a sling:Folder node '/content/data/child1' with Sling resource type 'foo'.
- For the '/content/data' node, add a permission with principal 'alice', rule 'allow', privileges 'jcr:all', and restrictions 'sling:resourceTypesWithDescendants=foo'.
- In a separate browser, log in as alice and go to Composum.
- As alice, try to create the node '/content/data/child2'.
Expected: User 'alice' can create the node.
Actual: The Composum "Create New Node" dialog displays the error "Error 400 javax.jcr.AccessDeniedException: OakAccess0000: Access denied" and the node is not created.
If I check effective permissions in Composum for /content/data and /content/data/child1, I see that 'alice' does receive jcr:all for both nodes. Further, I can perform this check either as admin or alice, whereas I cannot look at permissions on /content as alice.
If I try the Sling POST servlet as alice to create the node, I get a different exception "org.apache.sling.api.resource.PersistenceException: Resource at '/content/data/foo' is not modifiable."
Georg Henzler duplicated the issue and provided the following explanation:
I had a look and I could reproduce. I have used this module to hide existing nodes (denies), that's why I've never run into it.
The root cause is that for the create case, not only  but also  gets called (since there is no tree available). ResourceTypePattern  always returns false in the same way as oak ootb NodeTypePattern . So I'm not sure if we can even solve this, but I'd like to try, please create an issue in JIRA for this.