jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r833210 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
Date Thu, 05 Nov 2009 22:08:24 GMT
Author: angela
Date: Thu Nov  5 22:08:24 2009
New Revision: 833210

URL: http://svn.apache.org/viewvc?rev=833210&view=rev
Log:
JCR-2386 - wrong eval order of access control entries within a single node

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=833210&r1=833209&r2=833210&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
Thu Nov  5 22:08:24 2009
@@ -581,6 +581,10 @@
             PrincipalManager principalMgr = sImpl.getPrincipalManager();
             AccessControlManager acMgr = sImpl.getAccessControlManager();
 
+            // first collect aces present on the given aclNode.
+            List<AccessControlEntry> gaces = new ArrayList<AccessControlEntry>();
+            List<AccessControlEntry> uaces = new ArrayList<AccessControlEntry>();
+
             NodeIterator itr = aclNode.getNodes();
             while (itr.hasNext()) {
                 NodeImpl aceNode = (NodeImpl) itr.nextNode();
@@ -605,13 +609,26 @@
                             aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE),
                             sImpl.getValueFactory());
                     // add it to the proper list (e.g. separated by principals)
+                    /**
+                     * NOTE: access control entries must be collected in reverse
+                     * order in order to assert proper evaluation.
+                     */
                     if (princ instanceof Group) {
-                        groupAces.add(ace);
+                        gaces.add(0, ace);
                     } else {
-                        userAces.add(ace);
+                        uaces.add(0, ace);
                     }
                 }
             }
+
+            // add the lists of aces to the overall lists that contain the entries
+            // throughout the hierarchy.
+            if (!gaces.isEmpty()) {
+                groupAces.addAll(gaces);
+            }
+            if (!uaces.isEmpty()) {
+                userAces.addAll(uaces);
+            }
         }
 
         private Iterator<AccessControlEntry> iterator() {

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=833210&r1=833209&r2=833210&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
Thu Nov  5 22:08:24 2009
@@ -18,11 +18,13 @@
 
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest;
 import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.core.security.TestPrincipal;
 import org.apache.jackrabbit.test.NotExecutableException;
 
 import javax.jcr.AccessDeniedException;
@@ -37,6 +39,7 @@
 import java.security.Principal;
 import java.util.Collections;
 import java.util.Map;
+import java.util.UUID;
 
 /**
  * <code>EvaluationTest</code>...
@@ -263,4 +266,76 @@
         // result at 'child path' must be deny
         assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));
     }
+
+        public void testMultipleGroupPermissionsOnNode() throws NotExecutableException, RepositoryException
{
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup(principal);
+        try {
+            group2.addMember(testUser);
+            if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+                superuser.save();
+            }
+
+            /* add privileges for the Group the test-user is member of */
+            Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser,
path));
+
+            withdrawPrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser,
path));
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             the denial of group2 must succeed
+            */
+            String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
+
+            AccessControlManager testAcMgr = getTestACManager();
+
+            assertFalse(getTestSession().hasPermission(path, actions));
+            Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            assertFalse(testAcMgr.hasPrivileges(path, privs));
+        } finally {
+            group2.remove();
+        }
+    }
+
+    public void testMultipleGroupPermissionsOnNode2() throws NotExecutableException, RepositoryException
{
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup(principal);
+
+        try {
+            group2.addMember(testUser);
+            if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+                superuser.save();
+            }
+
+            /* add privileges for the Group the test-user is member of */
+            Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            withdrawPrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser,
path));
+
+            givePrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser,
path));
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             the denial of group2 must succeed
+            */
+            String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
+
+            AccessControlManager testAcMgr = getTestACManager();
+            assertTrue(getTestSession().hasPermission(path, actions));
+            Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            assertTrue(testAcMgr.hasPrivileges(path, privs));
+        } finally {
+            group2.remove();
+        }
+    }
 }
\ No newline at end of file



Mime
View raw message