jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ju...@apache.org
Subject svn commit: r884108 [7/10] - in /jackrabbit/sandbox/JCR-1456: ./ jackrabbit-api/ jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/ jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/ jackrabbit-core/ jackrabbit-core/src...
Date Wed, 25 Nov 2009 14:04:50 GMT
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java Wed Nov 25 14:04:38 2009
@@ -100,7 +100,8 @@
         AccessManager acMgr = getAccessManager(superuser);
 
         NodeId id = (NodeId) getItemId(superuser.getItem(testRootNode.getPath()));
-        // NOTE: backwards compat. for depr. method: invalid perm-flags will be ignored
+        // NOTE: backwards compatibility.
+        // for deprecated method: invalid perm-flags will be ignored
         acMgr.checkPermission(id, AccessManager.READ - 1);
     }
 
@@ -108,7 +109,8 @@
         AccessManager acMgr = getAccessManager(superuser);
 
         NodeId id = (NodeId) getItemId(superuser.getItem(testRootNode.getPath()));
-        // NOTE: backwards compat. for depr. method: invalid perm-flags will be ignored
+        // NOTE: backwards compatibility.
+        // for deprecated method: invalid perm-flags will be ignored
         acMgr.checkPermission(id, AccessManager.READ | AccessManager.WRITE | AccessManager.REMOVE  + 1);
     }
 
@@ -186,8 +188,8 @@
         Session s = getHelper().getReadOnlySession();
         try {
             String[] wspNames = s.getWorkspace().getAccessibleWorkspaceNames();
-            for (int i = 0; i < wspNames.length; i++) {
-                assertTrue(getAccessManager(s).canAccess(wspNames[i]));
+            for (String wspName : wspNames) {
+                assertTrue(getAccessManager(s).canAccess(wspName));
             }
         } finally {
             s.logout();
@@ -214,7 +216,7 @@
     public void testCanAccessNotExistingWorkspace() throws RepositoryException, NotExecutableException {
         Session s = getHelper().getReadOnlySession();
         try {
-            List all = Arrays.asList(s.getWorkspace().getAccessibleWorkspaceNames());
+            List<String> all = Arrays.asList(s.getWorkspace().getAccessibleWorkspaceNames());
             String testName = "anyWorkspace";
             int i = 0;
             while (all.contains(testName)) {

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/TestAll.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/TestAll.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authentication/TestAll.java Wed Nov 25 14:04:38 2009
@@ -16,22 +16,19 @@
  */
 package org.apache.jackrabbit.core.security.authentication;
 
-import junit.framework.TestCase;
 import junit.framework.Test;
+import junit.framework.TestCase;
 import junit.framework.TestSuite;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /** <code>TestAll</code>... */
 public class TestAll extends TestCase {
 
-    private static Logger log = LoggerFactory.getLogger(TestAll.class);
-
     public static Test suite() {
         TestSuite suite = new TestSuite("core.security.authentication tests");
 
         suite.addTestSuite(GuestLoginTest.class);
         suite.addTestSuite(NullLoginTest.class);
+        suite.addTestSuite(CryptedSimpleCredentialsTest.class);
 
         return suite;
     }

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java Wed Nov 25 14:04:38 2009
@@ -66,6 +66,8 @@
 
     protected abstract JackrabbitAccessControlList createEmptyTemplate(String path) throws RepositoryException;
 
+    protected abstract Principal getSecondPrincipal() throws Exception;
+
     public void testEmptyTemplate() throws RepositoryException {
         JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
 
@@ -260,4 +262,63 @@
             // success
         }
     }
+
+    public void testReorder() throws Exception {
+        Privilege[] read = privilegesFromName(Privilege.JCR_READ);
+        Privilege[] write = privilegesFromName(Privilege.JCR_WRITE);
+
+        Principal p2 = getSecondPrincipal();
+
+        AbstractACLTemplate acl = (AbstractACLTemplate) createEmptyTemplate(getTestPath());
+        acl.addAccessControlEntry(testPrincipal, read);
+        acl.addEntry(testPrincipal, write, false);
+        acl.addAccessControlEntry(p2, write);
+
+        AccessControlEntry[] entries = acl.getAccessControlEntries();
+
+        assertEquals(3, entries.length);
+        AccessControlEntry aReadTP = entries[0];
+        AccessControlEntry dWriteTP = entries[1];
+        AccessControlEntry aWriteP2 = entries[2];
+
+        // reorder aWriteP2 to the first position
+        acl.orderBefore(aWriteP2, aReadTP);
+        assertEquals(0, acl.getEntries().indexOf(aWriteP2));
+        assertEquals(1, acl.getEntries().indexOf(aReadTP));
+        assertEquals(2, acl.getEntries().indexOf(dWriteTP));
+
+        // reorder aReadTP to the end of the list
+        acl.orderBefore(aReadTP, null);
+        assertEquals(0, acl.getEntries().indexOf(aWriteP2));
+        assertEquals(1, acl.getEntries().indexOf(dWriteTP));
+        assertEquals(2, acl.getEntries().indexOf(aReadTP));
+    }
+
+    public void testReorderInvalidElements() throws Exception {
+        Privilege[] read = privilegesFromName(Privilege.JCR_READ);
+        Privilege[] write = privilegesFromName(Privilege.JCR_WRITE);
+
+        Principal p2 = getSecondPrincipal();
+
+        AbstractACLTemplate acl = (AbstractACLTemplate) createEmptyTemplate(getTestPath());
+        acl.addAccessControlEntry(testPrincipal, read);
+        acl.addAccessControlEntry(p2, write);
+
+        AbstractACLTemplate acl2 = (AbstractACLTemplate) createEmptyTemplate(getTestPath());
+        acl2.addEntry(testPrincipal, write, false);
+
+        AccessControlEntry invalid = acl2.getEntries().get(0);
+        try {
+            acl.orderBefore(invalid, acl.getEntries().get(0));
+            fail("src entry not contained in list -> reorder should fail.");
+        } catch (AccessControlException e) {
+            // success
+        }
+        try {
+            acl.orderBefore(acl.getEntries().get(0), invalid);
+            fail("dest entry not contained in list -> reorder should fail.");
+        } catch (AccessControlException e) {
+            // success
+        }
+    }
 }
\ No newline at end of file

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java Wed Nov 25 14:04:38 2009
@@ -20,6 +20,7 @@
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.test.NotExecutableException;
 import org.apache.jackrabbit.test.api.security.AbstractAccessControlTest;
 import org.slf4j.Logger;
@@ -45,6 +46,7 @@
 
     private static Logger log = LoggerFactory.getLogger(AbstractEvaluationTest.class);
 
+    private String uid;
     protected User testUser;
     protected Credentials creds;
     
@@ -63,10 +65,13 @@
         try {
             UserManager uMgr = getUserManager(superuser);
             // create the testUser
-            String uid = "testUser" + UUID.randomUUID();
+            uid = "testUser" + UUID.randomUUID();
             creds = new SimpleCredentials(uid, uid.toCharArray());
 
             testUser = uMgr.createUser(uid, uid);
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
         } catch (Exception e) {
             superuser.logout();
             throw e;
@@ -90,8 +95,14 @@
         if (testSession != null && testSession.isLive()) {
             testSession.logout();
         }
-        if (testUser != null) {
-            testUser.remove();
+        if (uid != null) {
+            Authorizable a = getUserManager(superuser).getAuthorizable(uid);
+            if (a != null) {
+                a.remove();
+                if (!getUserManager(superuser).isAutoSave()) {
+                    superuser.save();
+                }
+            }
         }
         super.tearDown();
     }
@@ -151,7 +162,7 @@
         acMgr.setPolicy(tmpl.getPath(), tmpl);
         superuser.save();
 
-        // remember for clean up during teardown
+        // remember for clean up during tearDown
         toClear.add(tmpl.getPath());
         return tmpl;
     }

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractVersionManagementTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractVersionManagementTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractVersionManagementTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractVersionManagementTest.java Wed Nov 25 14:04:38 2009
@@ -75,7 +75,7 @@
         modifyPrivileges(trn.getPath(), Privilege.JCR_VERSION_MANAGEMENT, true);
 
         Node n = createVersionableNode(trn);
-        Version v = n.checkin();
+        n.checkin();
         n.checkout();
     }
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java Wed Nov 25 14:04:38 2009
@@ -18,7 +18,7 @@
 
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.security.TestPrincipal;
 import org.apache.jackrabbit.test.JUnitTest;
 import org.apache.jackrabbit.test.NotExecutableException;
@@ -86,24 +86,29 @@
     }
 
     protected void tearDown() throws Exception {
-        // make sure all ac info is removed
-        if (testGroup != null && testUser != null) {
-            testGroup.removeMember(testUser);
-            testGroup.remove();
+        try {
+            if (testGroup != null && testUser != null) {
+                testGroup.removeMember(testUser);
+                testGroup.remove();
+                if (!getUserManager(superuser).isAutoSave() && superuser.hasPendingChanges()) {
+                    superuser.save();
+                }
+            }
+        } finally {
+            super.tearDown();
         }
-        super.tearDown();
-    }
-
-    protected User getTestUser() {
-        return testUser;
     }
 
     protected Group getTestGroup() throws RepositoryException, NotExecutableException {
         if (testGroup == null) {
             // create the testGroup
             Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
-            testGroup = getUserManager(superuser).createGroup(principal);
+            UserManager umgr = getUserManager(superuser);
+            testGroup = umgr.createGroup(principal);
             testGroup.addMember(testUser);
+            if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+                superuser.save();
+            }
         }
         return testGroup;
     }
@@ -945,6 +950,9 @@
 
         // remove the test user
         testUser.remove();
+        if (!getUserManager(superuser).isAutoSave() && superuser.hasPendingChanges()) {
+            superuser.save();
+        }
         testUser = null;
 
         // try to retrieve the acl again
@@ -983,6 +991,51 @@
         assertTrue(acMgr.hasPrivileges(path, remainingprivs.toArray(new Privilege[remainingprivs.size()])));
     }
 
+    public void testReorder() throws RepositoryException, NotExecutableException {
+        Session testSession = getTestSession();
+        Node n = testSession.getNode(path);
+        try {
+            if (!n.getPrimaryNodeType().hasOrderableChildNodes()) {
+                throw new NotExecutableException("Reordering child nodes is not supported..");
+            }
+
+            n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+            testSession.save();
+            fail("test session must not be allowed to reorder nodes.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // give 'add_child_nodes' and 'nt-management' privilege
+        // -> not sufficient privileges for a reorder
+        givePrivileges(path, privilegesFromNames(new String[] {Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_NODE_TYPE_MANAGEMENT}), getRestrictions(superuser, path));
+        try {
+            n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+            testSession.save();
+            fail("test session must not be allowed to reorder nodes.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // add 'remove_child_nodes' at 'path
+        // -> not sufficient for a reorder since 'remove_node' privilege is missing
+        //    on the target
+        givePrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES), getRestrictions(superuser, path));
+        try {
+            n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+            testSession.save();
+            fail("test session must not be allowed to reorder nodes.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // allow 'remove_node' at childNPath
+        // -> now reorder must succeed
+        givePrivileges(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE), getRestrictions(superuser, childNPath));
+        n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+        testSession.save();
+    }
+
     private static Node findPolicyNode(Node start) throws RepositoryException {
         Node policyNode = null;
         if (start.isNodeType("rep:Policy")) {

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java Wed Nov 25 14:04:38 2009
@@ -18,11 +18,13 @@
 
 import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplateTest;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.test.NotExecutableException;
 
 import javax.jcr.RepositoryException;
@@ -32,12 +34,15 @@
 import java.security.Principal;
 import java.security.acl.Group;
 import java.util.Collections;
+import java.util.Map;
 
 /**
  * <code>ACLTemplateTest</code>...
  */
 public class ACLTemplateTest extends AbstractACLTemplateTest {
 
+    private Map<String, Value> restrictions = Collections.<String, Value>emptyMap();
+
     protected String getTestPath() {
         return "/ab/c/d";
     }
@@ -49,10 +54,14 @@
         return new ACLTemplate(path, princicipalMgr, privilegeRegistry, sImpl.getValueFactory());
     }
 
+    protected Principal getSecondPrincipal() throws Exception {
+        return pMgr.getEveryone();
+    }
+
     public void testMultipleEntryEffect() throws RepositoryException, NotExecutableException {
         JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        pt.addEntry(testPrincipal, privileges, true, Collections.<String, Value>emptyMap());
+        pt.addEntry(testPrincipal, privileges, true, restrictions);
 
         // new entry extends privileges.
         privileges = privilegesFromNames(new String[] {
@@ -60,7 +69,7 @@
                 Privilege.JCR_ADD_CHILD_NODES});
         assertTrue(pt.addEntry(testPrincipal,
                 privileges,
-                true, Collections.<String, Value>emptyMap()));
+                true, restrictions));
 
         // net-effect: only a single allow-entry with both privileges
         assertTrue(pt.size() == 1);
@@ -68,14 +77,14 @@
 
         // adding just ADD_CHILD_NODES -> must not remove READ privilege
         Privilege[] achPrivs = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
-        assertFalse(pt.addEntry(testPrincipal, achPrivs, true, Collections.<String, Value>emptyMap()));
+        assertFalse(pt.addEntry(testPrincipal, achPrivs, true, restrictions));
         // net-effect: only a single allow-entry with add_child_nodes + read privilege
         assertTrue(pt.size() == 1);
         assertSamePrivileges(privileges, pt.getAccessControlEntries()[0].getPrivileges());
 
         // revoke the 'READ' privilege
         privileges = privilegesFromName(Privilege.JCR_READ);
-        assertTrue(pt.addEntry(testPrincipal, privileges, false, Collections.<String, Value>emptyMap()));
+        assertTrue(pt.addEntry(testPrincipal, privileges, false, restrictions));
         // net-effect: 2 entries one allowing ADD_CHILD_NODES, the other denying READ
         assertTrue(pt.size() == 2);
         assertSamePrivileges(privilegesFromName(Privilege.JCR_ADD_CHILD_NODES),
@@ -160,13 +169,113 @@
         JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
 
-        pt.addEntry(testPrincipal, privileges, true, Collections.<String, Value>emptyMap());
+        pt.addEntry(testPrincipal, privileges, true, restrictions);
 
         // same entry but with revers 'isAllow' flag
-        assertTrue(pt.addEntry(testPrincipal, privileges, false, Collections.<String, Value>emptyMap()));
+        assertTrue(pt.addEntry(testPrincipal, privileges, false, restrictions));
 
         // net-effect: only a single deny-read entry
-        assertTrue(pt.size() == 1);
+        assertEquals(1, pt.size());
         assertSamePrivileges(privileges, pt.getAccessControlEntries()[0].getPrivileges());
     }
+
+    public void testUpdateEntry() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+
+        Privilege[] readPriv = privilegesFromName(Privilege.JCR_READ);
+        Privilege[] writePriv = privilegesFromName(Privilege.JCR_WRITE);
+
+        Principal principal2 = pMgr.getEveryone();
+
+        pt.addEntry(testPrincipal, readPriv, true, restrictions);
+        pt.addEntry(principal2, readPriv, true, restrictions);
+        pt.addEntry(testPrincipal, writePriv, false, restrictions);
+
+        // adding an entry that should update the existing allow-entry for everyone.
+        pt.addEntry(principal2, writePriv, true, restrictions);
+
+        AccessControlEntry[] entries = pt.getAccessControlEntries();
+        assertEquals(3, entries.length);
+        JackrabbitAccessControlEntry princ2AllowEntry = (JackrabbitAccessControlEntry) entries[1];
+        assertEquals(principal2, princ2AllowEntry.getPrincipal());
+        assertTrue(princ2AllowEntry.isAllow());
+        assertSamePrivileges(new Privilege[] {readPriv[0], writePriv[0]}, princ2AllowEntry.getPrivileges());
+    }
+
+    public void testUpdateComplementaryEntry() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+
+        Privilege[] readPriv = privilegesFromName(Privilege.JCR_READ);
+        Privilege[] writePriv = privilegesFromName(Privilege.JCR_WRITE);
+        Principal principal2 = pMgr.getEveryone();
+
+        pt.addEntry(testPrincipal, readPriv, true, restrictions);
+        pt.addEntry(principal2, readPriv, true, restrictions);
+        pt.addEntry(testPrincipal, writePriv, false, restrictions);
+        pt.addEntry(principal2, writePriv, true, restrictions);
+        // entry complementary to the first entry
+        // -> must remove the allow-READ entry and update the deny-WRITE entry.
+        pt.addEntry(testPrincipal, readPriv, false, restrictions);
+
+        AccessControlEntry[] entries = pt.getAccessControlEntries();
+
+        assertEquals(2, entries.length);
+
+        JackrabbitAccessControlEntry first = (JackrabbitAccessControlEntry) entries[0];
+        assertEquals(principal2, first.getPrincipal());
+
+        JackrabbitAccessControlEntry second = (JackrabbitAccessControlEntry) entries[1];
+        assertEquals(testPrincipal, second.getPrincipal());
+        assertFalse(second.isAllow());
+        assertSamePrivileges(new Privilege[] {readPriv[0], writePriv[0]}, second.getPrivileges());
+    }
+
+    public void testTwoEntriesPerPrincipal() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+
+        Privilege[] readPriv = privilegesFromName(Privilege.JCR_READ);
+        Privilege[] writePriv = privilegesFromName(Privilege.JCR_WRITE);
+        Privilege[] acReadPriv = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
+
+        pt.addEntry(testPrincipal, readPriv, true, restrictions);
+        pt.addEntry(testPrincipal, writePriv, true, restrictions);
+        pt.addEntry(testPrincipal, acReadPriv, true, restrictions);
+
+        pt.addEntry(testPrincipal, readPriv, false, restrictions);
+        pt.addEntry(new PrincipalImpl(testPrincipal.getName()), readPriv, false, restrictions);
+        pt.addEntry(new Principal() {
+            public String getName() {
+                return testPrincipal.getName();
+            }
+        }, readPriv, false, restrictions);
+
+        AccessControlEntry[] entries = pt.getAccessControlEntries();
+        assertEquals(2, entries.length);
+    }
+
+    /**
+     * Test if new entries get appended at the end of the list.
+     *
+     * @throws RepositoryException
+     * @throws NotExecutableException
+     */
+    public void testNewEntriesAppendedAtEnd() throws RepositoryException, NotExecutableException {
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
+
+        Privilege[] readPriv = privilegesFromName(Privilege.JCR_READ);
+        Privilege[] writePriv = privilegesFromName(Privilege.JCR_WRITE);
+
+        pt.addEntry(testPrincipal, readPriv, true, restrictions);
+        pt.addEntry(pMgr.getEveryone(), readPriv, true, restrictions);
+        pt.addEntry(testPrincipal, writePriv, false, restrictions);
+
+        AccessControlEntry[] entries = pt.getAccessControlEntries();
+
+        assertEquals(3, entries.length);
+
+        JackrabbitAccessControlEntry last = (JackrabbitAccessControlEntry) entries[2];
+        assertEquals(testPrincipal, last.getPrincipal());
+        assertEquals(false, last.isAllow());
+        assertEquals(writePriv[0], last.getPrivileges()[0]);
+    }
 }
\ No newline at end of file

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Wed Nov 25 14:04:38 2009
@@ -17,10 +17,14 @@
 package org.apache.jackrabbit.core.security.authorization.acl;
 
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest;
 import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.core.security.TestPrincipal;
 import org.apache.jackrabbit.test.NotExecutableException;
 
 import javax.jcr.AccessDeniedException;
@@ -35,6 +39,7 @@
 import java.security.Principal;
 import java.util.Collections;
 import java.util.Map;
+import java.util.UUID;
 
 /**
  * <code>EvaluationTest</code>...
@@ -109,7 +114,7 @@
         // test if testuser can modify AC-items
         // 1) add an ac-entry
         ACLTemplate acl = (ACLTemplate) policies[0];
-        acl.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromName(PrivilegeRegistry.REP_WRITE));
+        acl.addAccessControlEntry(testUser.getPrincipal(), privilegesFromName(PrivilegeRegistry.REP_WRITE));
         testAcMgr.setPolicy(path, acl);
         testSession.save();
 
@@ -214,4 +219,123 @@
         // remove_child_node privilege is missing on the direct ancestor.
         assertFalse(testSession.hasPermission(gcPath, Session.ACTION_REMOVE));
     }
+
+    public void testInheritedGroupPermissions() throws NotExecutableException, RepositoryException {
+        Group testGroup = getTestGroup();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+         precondition:
+         testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+
+        /* give MODIFY_PROPERTIES privilege for testGroup at 'path' */
+        givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
+        /*
+         withdraw MODIFY_PROPERTIES privilege for everyone at 'childNPath'
+         */
+        withdrawPrivileges(childNPath, EveryonePrincipal.getInstance(), privileges, getRestrictions(superuser, path));
+
+        // result at 'child path' must be deny
+        assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));    
+    }
+
+    public void testInheritedGroupPermissions2() throws NotExecutableException, RepositoryException {
+        Group testGroup = getTestGroup();
+        AccessControlManager testAcMgr = getTestACManager();
+        /*
+         precondition:
+         testuser must have READ-only permission on test-node and below
+        */
+        checkReadOnly(path);
+
+        Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+
+        // NOTE: same as testInheritedGroupPermissions above but using
+        // everyone on path, testgroup on childpath -> result must be the same
+
+        /* give MODIFY_PROPERTIES privilege for everyone at 'path' */
+        givePrivileges(path, EveryonePrincipal.getInstance(), privileges, getRestrictions(superuser, path));
+        /*
+         withdraw MODIFY_PROPERTIES privilege for testGroup at 'childNPath'
+         */
+        withdrawPrivileges(childNPath, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+        // result at 'child path' must be deny
+        assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));
+    }
+
+        public void testMultipleGroupPermissionsOnNode() throws NotExecutableException, RepositoryException {
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup(principal);
+        try {
+            group2.addMember(testUser);
+            if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+                superuser.save();
+            }
+
+            /* add privileges for the Group the test-user is member of */
+            Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+            withdrawPrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             the denial of group2 must succeed
+            */
+            String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
+
+            AccessControlManager testAcMgr = getTestACManager();
+
+            assertFalse(getTestSession().hasPermission(path, actions));
+            Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            assertFalse(testAcMgr.hasPrivileges(path, privs));
+        } finally {
+            group2.remove();
+        }
+    }
+
+    public void testMultipleGroupPermissionsOnNode2() throws NotExecutableException, RepositoryException {
+        Group testGroup = getTestGroup();
+
+        /* create a second group the test user is member of */
+        Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID());
+        UserManager umgr = getUserManager(superuser);
+        Group group2 = umgr.createGroup(principal);
+
+        try {
+            group2.addMember(testUser);
+            if (!umgr.isAutoSave() && superuser.hasPendingChanges()) {
+                superuser.save();
+            }
+
+            /* add privileges for the Group the test-user is member of */
+            Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            withdrawPrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+            givePrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path));
+
+            /*
+             testuser must get the permissions/privileges inherited from
+             the group it is member of.
+             the denial of group2 must succeed
+            */
+            String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ;
+
+            AccessControlManager testAcMgr = getTestACManager();
+            assertTrue(getTestSession().hasPermission(path, actions));
+            Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
+            assertTrue(testAcMgr.hasPrivileges(path, privs));
+        } finally {
+            group2.remove();
+        }
+    }
 }
\ No newline at end of file

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java Wed Nov 25 14:04:38 2009
@@ -49,7 +49,7 @@
 
         // simple test to check if proper provider is present:
         try {
-            getPrincipalBasedPolicy(acMgr, path, getTestUser().getPrincipal());
+            getPrincipalBasedPolicy(acMgr, path, testUser.getPrincipal());
         } catch (Exception e) {
             superuser.logout();
             throw e;
@@ -135,7 +135,7 @@
         assertFalse(testAcMgr.hasPrivileges(path, readPrivs));
 
         // remove the nodebased policy
-        JackrabbitAccessControlList policy = getPolicy(acMgr, path, getTestUser().getPrincipal());
+        JackrabbitAccessControlList policy = getPolicy(acMgr, path, testUser.getPrincipal());
         acMgr.removePolicy(policy.getPath(), policy);
         superuser.save();
 
@@ -152,7 +152,7 @@
         givePrivileges(path, wrtPrivileges, getRestrictions(superuser, path));
         // userbased: deny MODIFY_PROPERTIES privileges for 'testUser'
         Privilege[] modPropPrivs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
-        withdrawPrivileges(path, getTestUser().getPrincipal(), modPropPrivs, getPrincipalBasedRestrictions(path), false);
+        withdrawPrivileges(path, testUser.getPrincipal(), modPropPrivs, getPrincipalBasedRestrictions(path), false);
         /*
          expected result:
          - MODIFY_PROPERTIES privilege still present
@@ -162,7 +162,7 @@
 
         // nodebased: deny MODIFY_PROPERTIES privileges for 'testUser'
         //            on a child node.
-        withdrawPrivileges(childNPath, getTestUser().getPrincipal(), modPropPrivs, getRestrictions(superuser, childNPath));
+        withdrawPrivileges(childNPath, testUser.getPrincipal(), modPropPrivs, getRestrictions(superuser, childNPath));
         /*
          expected result:
          - MODIFY_PROPERTIES privilege still present at 'path'

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java Wed Nov 25 14:04:38 2009
@@ -25,6 +25,7 @@
 import javax.jcr.RepositoryException;
 import java.util.Arrays;
 import java.util.List;
+import java.security.Principal;
 
 /**
  * <code>ACLTemplateTest</code>...
@@ -42,6 +43,10 @@
         return new ACLTemplate(testPrincipal, testPath, (SessionImpl) superuser, superuser.getValueFactory());
     }
 
+    protected Principal getSecondPrincipal() throws Exception {
+        return testPrincipal;
+    }
+
     public void testGetRestrictionNames() throws RepositoryException {
         List names = Arrays.asList(createEmptyTemplate(getTestPath()).getRestrictionNames());
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java Wed Nov 25 14:04:38 2009
@@ -73,10 +73,14 @@
     }
 
     public void testEditor() throws NotExecutableException, RepositoryException {
+        UserManager uMgr = getUserManager(superuser);        
         User u = null;
         try {
-            UserManager uMgr = getUserManager(superuser);
             u = uMgr.createUser("t", "t");
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
+
             Principal p = u.getPrincipal();
 
             JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) getAccessControlManager(superuser);
@@ -103,19 +107,23 @@
             superuser.refresh(false);
             if (u != null) {
                 u.remove();
+                if (!uMgr.isAutoSave()) {
+                    superuser.save();
+                }
             }
         }
     }
 
     public void testEditor2() throws NotExecutableException, RepositoryException {
+        UserManager uMgr = getUserManager(superuser);
         User u = null;
         User u2 = null;
-
         try {
-            UserManager uMgr = getUserManager(superuser);
-
             u = uMgr.createUser("t", "t");
             u2 = uMgr.createUser("tt", "tt", new TestPrincipal("tt"), "t/tt");
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
 
             Principal p = u.getPrincipal();
             Principal p2 = u2.getPrincipal();
@@ -140,7 +148,10 @@
             superuser.refresh(false);
             if (u2 != null) u2.remove();
             if (u != null) u.remove();
-     }
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
+        }
 
     }
     // TODO: add specific tests with other restrictions

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProviderTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProviderTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProviderTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProviderTest.java Wed Nov 25 14:04:38 2009
@@ -64,7 +64,7 @@
         assertFalse(pit.hasNext());
     }
 
-    public void testInheritedMemberShip() throws RepositoryException {
+    public void testInheritedMemberShip() throws RepositoryException, NotExecutableException {
         Principal up = getTestPrincipal();
 
         User u = null;
@@ -74,9 +74,12 @@
             u = userMgr.createUser(up.getName(), buildPassword(up));
             gr1 = userMgr.createGroup(getTestPrincipal());
             gr2 = userMgr.createGroup(getTestPrincipal());
+            save(superuser);
+
 
             gr1.addMember(gr2);
             gr2.addMember(u);
+            save(superuser);
 
             PrincipalIterator it = principalProvider.getGroupMembership(u.getPrincipal());
             while (it.hasNext()) {
@@ -96,6 +99,7 @@
             if (gr1 != null) gr1.remove();
             if (gr2 != null) gr2.remove();
             if (u != null) u.remove();
+            save(superuser);
         }
     }
 }
\ No newline at end of file

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AdministratorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AdministratorTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AdministratorTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AdministratorTest.java Wed Nov 25 14:04:38 2009
@@ -18,33 +18,254 @@
 
 import org.apache.jackrabbit.api.security.user.AbstractUserTest;
 import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.core.NodeImpl;
+import org.apache.jackrabbit.core.SessionImpl;
+import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
+import org.apache.jackrabbit.core.id.NodeId;
 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
+import org.apache.jackrabbit.spi.Name;
 
+import javax.jcr.Node;
 import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import java.util.Properties;
 
 /**
  * <code>AdministratorTest</code>...
  */
 public class AdministratorTest extends AbstractUserTest {
 
+    private String adminId;
+
+    @Override
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        if (!(userMgr instanceof UserManagerImpl)) {
+            throw new NotExecutableException();
+        }
+        adminId = superuser.getUserID();
+        if (!((UserManagerImpl) userMgr).isAdminId(adminId)) {
+            throw new NotExecutableException();
+        }
+    }
+
     public void testGetPrincipal() throws RepositoryException {
-        Authorizable authr = userMgr.getAuthorizable(superuser.getUserID());
-        assertNotNull(authr);
-        assertFalse(authr.isGroup());
-        assertTrue(authr.getPrincipal() instanceof AdminPrincipal);
+        Authorizable admin = userMgr.getAuthorizable(adminId);
+        assertNotNull(admin);
+        assertFalse(admin.isGroup());
+        assertTrue(admin.getPrincipal() instanceof AdminPrincipal);
     }
 
     public void testRemoveSelf() throws RepositoryException, NotExecutableException {
-        Authorizable authr = userMgr.getAuthorizable(superuser.getUserID());
-        if (authr == null) {
+        Authorizable admin = userMgr.getAuthorizable(adminId);
+        if (admin == null) {
             throw new NotExecutableException();
         }
         try {
-            authr.remove();
+            admin.remove();
             fail("The Administrator should not be allowed to remove the own authorizable.");
         } catch (RepositoryException e) {
             // success
         }
     }
+
+    /**
+     * Test if the administrator is recreated upon login if the corresponding
+     * node gets removed.
+     *
+     * @throws RepositoryException
+     * @throws NotExecutableException
+     */
+    public void testRemoveAdminNode() throws RepositoryException, NotExecutableException {
+        Authorizable admin = userMgr.getAuthorizable(adminId);
+
+        if (admin == null || !(admin instanceof AuthorizableImpl)) {
+            throw new NotExecutableException();
+        }
+
+        // access the node corresponding to the admin user and remove it
+        NodeImpl adminNode = ((AuthorizableImpl) admin).getNode();
+        Session s = adminNode.getSession();
+        adminNode.remove();
+        // use session obtained from the node as usermgr may point to a dedicated
+        // system workspace different from the superusers workspace.
+        s.save();
+
+        // after removing the node the admin user doesn't exist any more
+        assertNull(userMgr.getAuthorizable(adminId));
+
+        // login must succeed as system user mgr recreates the admin user
+        Session s2 = getHelper().getSuperuserSession();
+        try {
+            admin = userMgr.getAuthorizable(adminId);
+            assertNotNull(admin);
+            assertNotNull(getUserManager(s2).getAuthorizable(adminId));
+        } finally {
+            s2.logout();
+        }
+    }
+
+    /**
+     * Test for collisions that would prevent from recreate the admin user.
+     *
+     * @throws RepositoryException
+     * @throws NotExecutableException
+     */
+    public void testAdminNodeCollidingWithAuthorizableFolder() throws RepositoryException, NotExecutableException {
+        Authorizable admin = userMgr.getAuthorizable(adminId);
+
+        if (admin == null || !(admin instanceof AuthorizableImpl)) {
+            throw new NotExecutableException();
+        }
+
+        // access the node corresponding to the admin user and remove it
+        NodeImpl adminNode = ((AuthorizableImpl) admin).getNode();
+        String adminPath = adminNode.getPath();
+        String adminNodeName = adminNode.getName();
+        Node parentNode = adminNode.getParent();
+
+        Session s = adminNode.getSession();
+        adminNode.remove();
+        // use session obtained from the node as usermgr may point to a dedicated
+        // system workspace different from the superusers workspace.
+        s.save();
+
+        Session s2 = null;
+        try {
+            // now create a colliding node:
+            parentNode.addNode(adminNodeName, "rep:AuthorizableFolder");
+            s.save();
+
+            // force recreation of admin user.
+            s2 = getHelper().getSuperuserSession();
+
+            admin = userMgr.getAuthorizable(adminId);
+            assertNotNull(admin);
+            assertEquals(adminNodeName, ((AuthorizableImpl) admin).getNode().getName());
+            assertFalse(adminPath.equals(((AuthorizableImpl) admin).getNode().getPath()));
+
+        } finally {
+            if (s2 == null) {
+                // something went wrong -> remove the folder again.
+                parentNode.remove();
+                s.save();
+                // force recreation of admin user.
+                s2 = getHelper().getSuperuserSession();
+            }
+            if (s2 != null) {
+                s2.logout();
+            }
+        }
+    }
+
+    /**
+     * Test if creation of the administrator user forces the removal of some
+     * other node in the repository that by change happens to have the same
+     * jcr:uuid and thus inhibits the creation of the admininstrator user.
+     */
+    public void testAdminNodeCollidingWithRandomNode() throws RepositoryException, NotExecutableException {
+        Authorizable admin = userMgr.getAuthorizable(adminId);
+
+        if (admin == null || !(admin instanceof AuthorizableImpl)) {
+            throw new NotExecutableException();
+        }
+
+        // access the node corresponding to the admin user and remove it
+        NodeImpl adminNode = ((AuthorizableImpl) admin).getNode();
+        NodeId nid = adminNode.getNodeId();
+        String adminPath = adminNode.getPath();
+
+        Session s = adminNode.getSession();
+        adminNode.remove();
+        // use session obtained from the node as usermgr may point to a dedicated
+        // system workspace different from the superusers workspace.
+        s.save();
+
+        Session s2 = null;
+        String collidingPath = null;
+        try {
+            // create a colliding node outside of the user tree
+            NameResolver nr = (SessionImpl) s;
+            NodeImpl tr = (NodeImpl) s.getRootNode();
+            Node n = tr.addNode(nr.getQName(nodeName1), nr.getQName(testNodeType), nid);
+            collidingPath = n.getPath();
+            s.save();
+
+            // force recreation of admin user.
+            s2 = getHelper().getSuperuserSession();
+
+            admin = userMgr.getAuthorizable(adminId);
+            assertNotNull(admin);
+            // the colliding node must have been removed.
+            assertFalse(s2.nodeExists(collidingPath));
+
+        } finally {
+            if (s2 != null) {
+                s2.logout();
+            }
+            if (collidingPath != null && s.nodeExists(collidingPath)) {
+                s.getNode(collidingPath).remove();
+                s.save();
+            }
+        }
+    }
+
+    /**
+     * Reconfiguration of the user-root-path will result in node collision
+     * upon initialization of the built-in repository users. Test if the
+     * UserManagerImpl in this case removes the colliding admin-user node.
+     */
+    public void testChangeUserRootPath() throws RepositoryException, NotExecutableException {
+        Authorizable admin = userMgr.getAuthorizable(adminId);
+
+        if (admin == null || !(admin instanceof AuthorizableImpl)) {
+            throw new NotExecutableException();
+        }
+
+        // access the node corresponding to the admin user and remove it
+        NodeImpl adminNode = ((AuthorizableImpl) admin).getNode();
+        NodeId nid = adminNode.getNodeId();
+        Name nName = adminNode.getQName();
+        Name ntName = ((NodeTypeImpl) adminNode.getPrimaryNodeType()).getQName();
+
+        Session s = adminNode.getSession();
+        adminNode.remove();
+        // use session obtained from the node as usermgr may point to a dedicated
+        // system workspace different from the superusers workspace.
+        s.save();
+
+        Session s2 = null;
+        String collidingPath = null;
+        try {
+            // create a colliding user node outside of the user tree
+            Properties props = new Properties();
+            props.setProperty("usersPath", "/testPath");
+            UserManager um = new UserManagerImpl((SessionImpl) s, adminId, props);
+            User collidingUser = um.createUser(adminId, adminId);
+            collidingPath = ((AuthorizableImpl) collidingUser).getNode().getPath();
+            s.save();
+
+            // force recreation of admin user.
+            s2 = getHelper().getSuperuserSession();
+
+            admin = userMgr.getAuthorizable(adminId);
+            assertNotNull(admin);
+            // the colliding node must have been removed.
+            assertFalse(s2.nodeExists(collidingPath));
+
+        } finally {
+            if (s2 != null) {
+                s2.logout();
+            }
+            if (collidingPath != null && s.nodeExists(collidingPath)) {
+                s.getNode(collidingPath).remove();
+                s.save();
+            }
+        }
+    }
 }

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AuthorizableImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AuthorizableImplTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AuthorizableImplTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/AuthorizableImplTest.java Wed Nov 25 14:04:38 2009
@@ -20,34 +20,34 @@
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.NodeImpl;
-import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.PropertyImpl;
+import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
 import org.apache.jackrabbit.test.NotExecutableException;
 import org.apache.jackrabbit.value.StringValue;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import javax.jcr.Property;
+import javax.jcr.PropertyIterator;
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
-import javax.jcr.PropertyIterator;
+import javax.jcr.PropertyType;
 import javax.jcr.nodetype.ConstraintViolationException;
-import javax.jcr.nodetype.NodeType;
 import java.util.ArrayList;
-import java.util.Iterator;
 import java.util.List;
+import java.util.Iterator;
+import java.util.HashSet;
+import java.util.Set;
+import java.security.Principal;
 
 /**
  * <code>AuthorizableImplTest</code>...
  */
 public class AuthorizableImplTest extends AbstractUserTest {
 
-    private static Logger log = LoggerFactory.getLogger(AuthorizableImplTest.class);
-
-    private List protectedUserProps = new ArrayList();
-    private List protectedGroupProps = new ArrayList();
+    private List<String> protectedUserProps = new ArrayList();
+    private List<String> protectedGroupProps = new ArrayList();
 
     protected void setUp() throws Exception {
         super.setUp();
@@ -55,11 +55,10 @@
         if (superuser instanceof SessionImpl) {
             NameResolver resolver = (SessionImpl) superuser;
             protectedUserProps.add(resolver.getJCRName(UserConstants.P_PASSWORD));
-            protectedUserProps.add(resolver.getJCRName(UserConstants.P_GROUPS));
             protectedUserProps.add(resolver.getJCRName(UserConstants.P_IMPERSONATORS));
             protectedUserProps.add(resolver.getJCRName(UserConstants.P_PRINCIPAL_NAME));
 
-            protectedUserProps.add(resolver.getJCRName(UserConstants.P_GROUPS));
+            protectedUserProps.add(resolver.getJCRName(UserConstants.P_MEMBERS));
             protectedGroupProps.add(resolver.getJCRName(UserConstants.P_PRINCIPAL_NAME));
         } else {
             throw new NotExecutableException();
@@ -85,22 +84,22 @@
         Value v = superuser.getValueFactory().createValue("any_value");
 
         User u = getTestUser(superuser);
-        for (Iterator it = protectedUserProps.iterator(); it.hasNext();) {
-            String pName = it.next().toString();
+        for (String pName : protectedUserProps) {
             try {
                 u.setProperty(pName, v);
-                fail("changing the '" +pName+ "' property on a User should fail.");
+                save(superuser);
+                fail("changing the '" + pName + "' property on a User should fail.");
             } catch (RepositoryException e) {
                 // success
             }
         }
         
         Group g = getTestGroup(superuser);
-        for (Iterator it = protectedGroupProps.iterator(); it.hasNext();) {
-            String pName = it.next().toString();
+        for (String pName : protectedGroupProps) {
             try {
                 g.setProperty(pName, v);
-                fail("changing the '" +pName+ "' property on a Group should fail.");
+                save(superuser);
+                fail("changing the '" + pName + "' property on a Group should fail.");
             } catch (RepositoryException e) {
                 // success
             }
@@ -109,21 +108,21 @@
 
     public void testRemoveSpecialProperties() throws NotExecutableException, RepositoryException {
         User u = getTestUser(superuser);
-        for (Iterator it = protectedUserProps.iterator(); it.hasNext();) {
-            String pName = it.next().toString();
+        for (String pName : protectedUserProps) {
             try {
                 u.removeProperty(pName);
-                fail("removing the '" +pName+ "' property on a User should fail.");
+                save(superuser);
+                fail("removing the '" + pName + "' property on a User should fail.");
             } catch (RepositoryException e) {
                 // success
             }
         }
         Group g = getTestGroup(superuser);
-        for (Iterator it = protectedGroupProps.iterator(); it.hasNext();) {
-            String pName = it.next().toString();
+        for (String pName : protectedGroupProps) {
             try {
                 g.removeProperty(pName);
-                fail("removing the '" +pName+ "' property on a Group should fail.");
+                save(superuser);
+                fail("removing the '" + pName + "' property on a Group should fail.");
             } catch (RepositoryException e) {
                 // success
             }
@@ -135,9 +134,8 @@
         NodeImpl n = user.getNode();
 
         checkProtected(n.getProperty(UserConstants.P_PASSWORD));
-        checkProtected(n.getProperty(UserConstants.P_PRINCIPAL_NAME));
-        if (n.hasProperty(UserConstants.P_GROUPS)) {
-            checkProtected(n.getProperty(UserConstants.P_GROUPS));
+        if (n.hasProperty(UserConstants.P_PRINCIPAL_NAME)) {
+            checkProtected(n.getProperty(UserConstants.P_PRINCIPAL_NAME));
         }
         if (n.hasProperty(UserConstants.P_IMPERSONATORS)) {
            checkProtected(n.getProperty(UserConstants.P_IMPERSONATORS));
@@ -148,9 +146,25 @@
         GroupImpl gr = (GroupImpl) getTestGroup(superuser);
         NodeImpl n = gr.getNode();
 
-        checkProtected(n.getProperty(UserConstants.P_PRINCIPAL_NAME));
-        if (n.hasProperty(UserConstants.P_GROUPS)) {
-            checkProtected(n.getProperty(UserConstants.P_GROUPS));
+        if (n.hasProperty(UserConstants.P_PRINCIPAL_NAME)) {
+            checkProtected(n.getProperty(UserConstants.P_PRINCIPAL_NAME));
+        }
+        if (n.hasProperty(UserConstants.P_MEMBERS)) {
+            checkProtected(n.getProperty(UserConstants.P_MEMBERS));
+        }
+    }
+
+    public void testMembersPropertyType() throws NotExecutableException, RepositoryException {
+        GroupImpl gr = (GroupImpl) getTestGroup(superuser);
+        NodeImpl n = gr.getNode();
+
+        if (!n.hasProperty(UserConstants.P_MEMBERS)) {
+            gr.addMember(getTestUser(superuser));
+        }
+
+        Property p = n.getProperty(UserConstants.P_MEMBERS);
+        for (Value v : p.getValues()) {
+            assertEquals(PropertyType.WEAKREFERENCE, v.getType());
         }
     }
 
@@ -177,12 +191,41 @@
         }
     }
 
-    public void testRemoveSpecialPropertiesDirectly() throws RepositoryException, NotExecutableException {
+    public void testRemoveSpecialUserPropertiesDirectly() throws RepositoryException, NotExecutableException {
+        AuthorizableImpl g = (AuthorizableImpl) getTestUser(superuser);
+        NodeImpl n = g.getNode();
+        try {
+            n.getProperty(UserConstants.P_PASSWORD).remove();
+            fail("Attempt to remove protected property rep:password should fail.");
+        } catch (ConstraintViolationException e) {
+            // ok.
+        }
+        try {
+            if (n.hasProperty(UserConstants.P_PRINCIPAL_NAME)) {
+                n.getProperty(UserConstants.P_PRINCIPAL_NAME).remove();
+                fail("Attempt to remove protected property rep:principalName should fail.");
+            }
+        } catch (ConstraintViolationException e) {
+            // ok.
+        }
+    }
+
+    public void testRemoveSpecialGroupPropertiesDirectly() throws RepositoryException, NotExecutableException {
         AuthorizableImpl g = (AuthorizableImpl) getTestGroup(superuser);
         NodeImpl n = g.getNode();
         try {
-            n.getProperty(UserConstants.P_PRINCIPAL_NAME).remove();
-            fail("Attempt to remove protected property rep:principalName should fail.");
+            if (n.hasProperty(UserConstants.P_PRINCIPAL_NAME)) {
+                n.getProperty(UserConstants.P_PRINCIPAL_NAME).remove();
+                fail("Attempt to remove protected property rep:principalName should fail.");
+            }
+        } catch (ConstraintViolationException e) {
+            // ok.
+        }
+        try {
+            if (n.hasProperty(UserConstants.P_MEMBERS)) {
+                n.getProperty(UserConstants.P_MEMBERS).remove();
+                fail("Attempt to remove protected property rep:members should fail.");
+            }
         } catch (ConstraintViolationException e) {
             // ok.
         }
@@ -194,9 +237,7 @@
 
         for (PropertyIterator it = n.getProperties(); it.hasNext();) {
             PropertyImpl p = (PropertyImpl) it.nextProperty();
-            NodeType declaringNt = p.getDefinition().getDeclaringNodeType();
-            if (!declaringNt.isNodeType("rep:Authorizable") ||
-                    protectedUserProps.contains(p.getName())) {
+            if (p.getDefinition().isProtected()) {
                 assertFalse(user.hasProperty(p.getName()));
                 assertNull(user.getProperty(p.getName()));
             } else {
@@ -213,9 +254,7 @@
 
         for (PropertyIterator it = n.getProperties(); it.hasNext();) {
             PropertyImpl p = (PropertyImpl) it.nextProperty();
-            NodeType declaringNt = p.getDefinition().getDeclaringNodeType();
-            if (!declaringNt.isNodeType("rep:Authorizable") ||
-                    protectedGroupProps.contains(p.getName())) {
+            if (p.getDefinition().isProtected()) {
                 assertFalse(group.hasProperty(p.getName()));
                 assertNull(group.getProperty(p.getName()));
             } else {
@@ -225,4 +264,111 @@
             }
         }
     }
+
+    public void testSingleToMultiValued() throws Exception {
+        AuthorizableImpl user = (AuthorizableImpl) getTestUser(superuser);
+        UserManager uMgr = getUserManager(superuser);
+        try {
+            Value v = superuser.getValueFactory().createValue("anyValue");
+            user.setProperty("someProp", v);
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
+            Value[] vs = new Value[] {v, v};
+            user.setProperty("someProp", vs);
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
+        } finally {
+            if (user.removeProperty("someProp") && !uMgr.isAutoSave()) {
+                superuser.save();
+            }
+        }
+    }
+
+    public void testMultiValuedToSingle() throws Exception {
+        AuthorizableImpl user = (AuthorizableImpl) getTestUser(superuser);
+        UserManager uMgr = getUserManager(superuser);
+        try {
+            Value v = superuser.getValueFactory().createValue("anyValue");
+            Value[] vs = new Value[] {v, v};
+            user.setProperty("someProp", vs);
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
+            user.setProperty("someProp", v);
+            if (!uMgr.isAutoSave()) {
+                superuser.save();
+            }
+        } finally {
+            if (user.removeProperty("someProp") && !uMgr.isAutoSave()) {
+                superuser.save();
+            }
+        }
+    }
+
+    public void testObjectMethods() throws Exception {
+        final AuthorizableImpl user = (AuthorizableImpl) getTestUser(superuser);
+        AuthorizableImpl user2 = (AuthorizableImpl) getTestUser(superuser);
+
+        assertEquals(user, user2);
+        assertEquals(user.hashCode(), user2.hashCode());
+        Set<Authorizable> s = new HashSet();
+        s.add(user);
+        assertFalse(s.add(user2));
+
+        Authorizable user3 = new Authorizable() {
+
+            public String getID() throws RepositoryException {
+                return user.getID();
+            }
+
+            public boolean isGroup() {
+                return user.isGroup();
+            }
+
+            public Principal getPrincipal() throws RepositoryException {
+                return user.getPrincipal();
+            }
+
+            public Iterator<Group> declaredMemberOf() throws RepositoryException {
+                return user.declaredMemberOf();
+            }
+
+            public Iterator<Group> memberOf() throws RepositoryException {
+                return user.memberOf();
+            }
+
+            public void remove() throws RepositoryException {
+                user.remove();
+            }
+
+            public Iterator<String> getPropertyNames() throws RepositoryException {
+                return user.getPropertyNames();
+            }
+
+            public boolean hasProperty(String name) throws RepositoryException {
+                return user.hasProperty(name);
+            }
+
+            public void setProperty(String name, Value value) throws RepositoryException {
+                user.setProperty(name, value);
+            }
+
+            public void setProperty(String name, Value[] values) throws RepositoryException {
+                user.setProperty(name, values);
+            }
+
+            public Value[] getProperty(String name) throws RepositoryException {
+                return user.getProperty(name);
+            }
+
+            public boolean removeProperty(String name) throws RepositoryException {
+                return user.removeProperty(name);
+            }
+        };
+
+        assertFalse(user.equals(user3));
+        assertTrue(s.add(user3));
+    }
 }
\ No newline at end of file

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/GroupAdministratorTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/GroupAdministratorTest.java?rev=884108&r1=884107&r2=884108&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/GroupAdministratorTest.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/GroupAdministratorTest.java Wed Nov 25 14:04:38 2009
@@ -29,6 +29,7 @@
 import javax.jcr.Credentials;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.Node;
 import java.security.Principal;
 import java.util.Iterator;
 
@@ -45,6 +46,7 @@
     private String otherUID2;
     private String grID;
 
+    private String groupsPath;
 
     private Group groupAdmin;
 
@@ -54,6 +56,7 @@
         // create a first user
         Principal p = getTestPrincipal();
         UserImpl pUser = (UserImpl) userMgr.createUser(p.getName(), buildPassword(p));
+        save(superuser);
         otherUID = pUser.getID();
 
         // create a second user and make it group-admin
@@ -61,19 +64,23 @@
         String pw = buildPassword(p);
         Credentials creds = buildCredentials(p.getName(), pw);
         User user = userMgr.createUser(p.getName(), pw);
+        save(superuser);
         uID = user.getID();
 
         // make other user a group-administrator:
         Authorizable grAdmin = userMgr.getAuthorizable(UserConstants.GROUP_ADMIN_GROUP_NAME);
         if (grAdmin == null || !grAdmin.isGroup()) {
-            throw new NotExecutableException("Cannot execute test. Group-Admin name has been changed by config.");
+            throw new NotExecutableException("Cannot execute test. No group-administrator group found.");
         }
         groupAdmin = (Group) grAdmin;
         groupAdmin.addMember(user);
+        save(superuser);
         grID = groupAdmin.getID();
 
-        // create a session for the grou-admin user.
+        // create a session for the group-admin user.
         uSession = getHelper().getRepository().login(creds);
+
+        groupsPath = (userMgr instanceof UserManagerImpl) ? ((UserManagerImpl) userMgr).getGroupsPath() : UserConstants.GROUPS_PATH;
     }
 
     protected void tearDown() throws Exception {
@@ -90,16 +97,17 @@
             if (a != null) {
                 a.remove();
             }
-
+            save(superuser);
         }
         super.tearDown();
     }
 
-    private String getYetAnotherID() throws RepositoryException {
+    private String getYetAnotherID() throws RepositoryException, NotExecutableException {
         if (otherUID2 == null) {
             // create a third user
             Principal p = getTestPrincipal();
             otherUID2 = userMgr.createUser(p.getName(), buildPassword(p)).getID();
+            save(superuser);
         }
         return otherUID2;
     }
@@ -118,10 +126,15 @@
         try {
             Principal p = getTestPrincipal();
             u = (UserImpl) umgr.createUser(p.getName(), buildPassword(p));
+            save(uSession);
             fail("Group administrator should not be allowed to create a new user.");
-            u.remove();
         } catch (AccessDeniedException e) {
             // success
+        } finally {
+            if (u != null) {
+                u.remove();
+                save(uSession);
+            }
         }
     }
 
@@ -131,21 +144,37 @@
         Authorizable himself = umgr.getAuthorizable(uID);
         try {
             himself.remove();
+            save(uSession);
             fail("A GroupAdministrator should not be allowed to remove the own authorizable.");
         } catch (AccessDeniedException e) {
             // success
         }
     }
 
+    public void testRemoveGroupAdmin() throws RepositoryException, NotExecutableException {
+        UserManager umgr = getUserManager(uSession);
+
+        Authorizable groupAdmin = umgr.getAuthorizable(grID);
+        try {
+            groupAdmin.remove();
+            save(uSession);
+            fail("A GroupAdministrator should not be allowed to remove the group admin.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
     public void testCreateGroup() throws RepositoryException, NotExecutableException {
         UserManager umgr = getUserManager(uSession);
         Group testGroup = null;
         try {
             testGroup = umgr.createGroup(getTestPrincipal());
-            assertTrue(Text.isDescendant(UserConstants.GROUPS_PATH, ((GroupImpl)testGroup).getNode().getPath()));
+            save(uSession);
+            assertTrue(Text.isDescendant(groupsPath, ((GroupImpl)testGroup).getNode().getPath()));
         } finally {
             if (testGroup != null) {
                 testGroup.remove();
+                save(uSession);
             }
         }
     }
@@ -155,10 +184,12 @@
         Group testGroup = null;
         try {
             testGroup = umgr.createGroup(getTestPrincipal(), "/any/intermediate/path");
-            assertTrue(Text.isDescendant(UserConstants.GROUPS_PATH + "/any/intermediate/path", ((GroupImpl)testGroup).getNode().getPath()));
+            save(uSession);
+            assertTrue(Text.isDescendant(groupsPath + "/any/intermediate/path", ((GroupImpl)testGroup).getNode().getPath()));
         } finally {
             if (testGroup != null) {
                 testGroup.remove();
+                save(uSession);
             }
         }
     }
@@ -168,14 +199,13 @@
         Authorizable cU = umgr.getAuthorizable(getYetAnotherID());
         Group gr = (Group) umgr.getAuthorizable(grID);
 
-        // adding and removing the child-user as member of a group must not 
-        // succeed as long editing session is not user-admin.
+        // adding and removing the test user as member of a group must succeed.
         try {
-            assertFalse("Modifying group membership requires GroupAdmin and UserAdmin.",gr.addMember(cU));
-        } catch (AccessDeniedException e) {
-            // ok
+            assertTrue("Modifying group membership requires GroupAdmin membership.",gr.addMember(cU));
+            save(uSession);
         } finally {
             gr.removeMember(cU);
+            save(uSession);
         }
     }
 
@@ -183,75 +213,80 @@
         UserManager umgr = getUserManager(uSession);
         Authorizable cU = umgr.getAuthorizable(getYetAnotherID());
 
-        Authorizable auth = umgr.getAuthorizable(UserConstants.USER_ADMIN_GROUP_NAME);
-        if (auth == null || !auth.isGroup()) {
-            throw new NotExecutableException("Cannot execute test. User-Admin name has been changed by config.");
-        }
-        Group userAdmin = (Group)auth;
-        User self = (User) umgr.getAuthorizable(uID);
-        try {
-            assertTrue(userAdmin.addMember(self));
-
-            Group gr = (Group) umgr.getAuthorizable(groupAdmin.getID());
-            assertTrue(gr.addMember(cU));
-            assertTrue(gr.removeMember(cU));
-        } finally {
-            userAdmin.removeMember(self);
-        }
+        Group gr = (Group) umgr.getAuthorizable(groupAdmin.getID());
+        assertTrue(gr.addMember(cU));
+        save(uSession);
+        assertTrue(gr.removeMember(cU));
+        save(uSession);
     }
 
     public void testAddMembersToCreatedGroup() throws RepositoryException, NotExecutableException {
         UserManager umgr = getUserManager(uSession);
-        Authorizable auth = umgr.getAuthorizable(UserConstants.USER_ADMIN_GROUP_NAME);
-        if (auth == null || !auth.isGroup()) {
-            throw new NotExecutableException("Cannot execute test. User-Admin name has been changed by config.");
-        }
-        Group userAdmin = (Group) auth;
         Group testGroup = null;
         User self = (User) umgr.getAuthorizable(uID);
         try {
             // let groupadmin create a new group
             testGroup = umgr.createGroup(getTestPrincipal(), "/a/b/c/d");
+            save(uSession);
 
             // editing session adds itself to that group -> must succeed.
             assertTrue(testGroup.addMember(self));
-
-            // editing session adds itself to user-admin group
-            userAdmin.addMember(self);
-            assertTrue(userAdmin.isMember(self));
+            save(uSession);
 
             // add child-user to test group
             Authorizable testUser = umgr.getAuthorizable(getYetAnotherID());
             assertFalse(testGroup.isMember(testUser));
             assertTrue(testGroup.addMember(testUser));
+            save(uSession);
         } finally {
             if (testGroup != null) {
-                for (Iterator it = testGroup.getDeclaredMembers(); it.hasNext();) {
-                    testGroup.removeMember((Authorizable) it.next());
+                for (Iterator<Authorizable> it = testGroup.getDeclaredMembers(); it.hasNext();) {
+                    testGroup.removeMember(it.next());
                 }
                 testGroup.remove();
+                save(uSession);
             }
-            userAdmin.removeMember(self);            
         }
     }
 
-    public void testAddMemberToForeignGroup() throws RepositoryException, NotExecutableException {
+    public void testAddMembersUserAdmins() throws RepositoryException, NotExecutableException {
+        UserManager umgr = getUserManager(uSession);
+        Authorizable auth = umgr.getAuthorizable(UserConstants.USER_ADMIN_GROUP_NAME);
+        if (auth == null || !auth.isGroup()) {
+            throw new NotExecutableException("Cannot execute test. No User-Admin group found.");
+        }
+        Group userAdmin = (Group) auth;
+        Group testGroup = null;
+        User self = (User) umgr.getAuthorizable(uID);
         try {
-            // let superuser create child user below the user with uID.
-            UserManager umgr = getUserManager(uSession);
-            Authorizable cU = umgr.getAuthorizable(getYetAnotherID());
-            Group uadminGr = (Group) umgr.getAuthorizable(UserConstants.USER_ADMIN_GROUP_NAME);
-            if (uadminGr.isMember(cU)) {
-                throw new RepositoryException("Test user is already member -> cannot execute.");
-            }
 
-            // adding to and removing a child user from a group the group-admin
-            // is NOT member of must fail.
-            uadminGr.addMember(cU);
-            fail("A GroupAdmin should not be allowed to add a user to a group she/he is not member of.");
+            userAdmin.addMember(self);
+            save(uSession);
+
+            userAdmin.removeMember(self);
+            save(uSession);
+            fail("Group admin cannot add member to user-admins");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+
+        try {
+            // let groupadmin create a new group
+            testGroup = umgr.createGroup(getTestPrincipal(), "/a/b/c/d");
+            save(uSession);
 
+            userAdmin.addMember(testGroup);
+            save(uSession);
+            userAdmin.removeMember(testGroup);
+            save(uSession);
+            fail("Group admin cannot add member to user-admins");
         } catch (AccessDeniedException e) {
-            // success.
+            // success
+        } finally {
+            if (testGroup != null) {
+                testGroup.remove();
+                save(uSession);
+            }
         }
     }
 
@@ -261,35 +296,12 @@
         Authorizable pU = umgr.getAuthorizable(otherUID);
         Group gr = (Group) umgr.getAuthorizable(groupAdmin.getID());
 
-        // adding and removing the parent-user as member of a group must not
-        // succeed: editing session isn't UserAdmin
         try {
-            assertFalse(gr.addMember(pU));
-        } catch (AccessDeniedException e) {
-            // ok
-        } finally {
-            gr.removeMember(pU);
-        }
-
-        // ... if the editing user becomes member of the user-admin group it
-        // must work.
-        Group uAdministrators = null;
-        try {
-            Authorizable userAdmin = userMgr.getAuthorizable(UserConstants.USER_ADMIN_GROUP_NAME);
-            if (userAdmin == null || !userAdmin.isGroup()) {
-                throw new NotExecutableException("Cannot execute test. User-Admin name has been changed by config.");
-            }
-            uAdministrators = (Group) userAdmin;
-            uAdministrators.addMember(userMgr.getAuthorizable(uID));
-
             assertTrue(gr.addMember(pU));
-            gr.removeMember(pU);
+            save(uSession);
         } finally {
-            // let superuser do the clean up.
-            // remove testuser from u-admin group again.
-            if (uAdministrators != null) {
-                uAdministrators.removeMember(userMgr.getAuthorizable(uID));
-            }
+            gr.removeMember(pU);
+            save(uSession);
         }
     }
 
@@ -316,16 +328,20 @@
 
     public void testAddOwnAuthorizableToForeignGroup() throws RepositoryException, NotExecutableException {
         UserManager umgr = getUserManager(uSession);
+        Authorizable self = umgr.getAuthorizable(uID);
 
-        Authorizable user = umgr.getAuthorizable(uID);
-        Group uadminGr = (Group) umgr.getAuthorizable(UserConstants.USER_ADMIN_GROUP_NAME);
-        if (uadminGr.isMember(user)) {
-            throw new RepositoryException("Test user is already member -> cannot execute.");
-        }
+        Group gr = userMgr.createGroup(getTestPrincipal());
+        save(superuser);
 
-        String msg = "GroupAdmin must be able to add its own authorizable to a group she/he is not yet member of.";
-        assertTrue(msg, uadminGr.addMember(user));
-        assertTrue(msg, uadminGr.removeMember(user));
+        try {
+            assertTrue(((Group) umgr.getAuthorizable(gr.getID())).addMember(self));
+            save(uSession);
+            assertTrue(((Group) umgr.getAuthorizable(gr.getID())).removeMember(self));
+            save(uSession);
+        } finally {
+            gr.remove();
+            save(superuser);
+        }
     }
 
     public void testRemoveMembersOfForeignGroup() throws RepositoryException, NotExecutableException {
@@ -336,24 +352,32 @@
         try {
             // let superuser create a group and a user a make user member of group
             nGr = userMgr.createGroup(getTestPrincipal());
+            save(superuser);
+
             Principal p = getTestPrincipal();
             nUs = userMgr.createUser(p.getName(), buildPassword(p));
+            save(superuser);
+
             p = getTestPrincipal();
             nUs2 = userMgr.createUser(p.getName(), buildPassword(p));
+            save(superuser);
             nGr.addMember(nUs);
             nGr.addMember(nUs2);
+            save(superuser);
 
-            Group gr = (Group) getUserManager(uSession).getAuthorizable(nGr.getID());
+            UserManager umgr = getUserManager(uSession);
+            Group gr = (Group) umgr.getAuthorizable(nGr.getID());
 
             // removing any member must fail unless the testuser is user-admin
-            Iterator it = gr.getMembers();
+            Iterator<Authorizable> it = gr.getMembers();
             if (it.hasNext()) {
-                Authorizable auth = (Authorizable) it.next();
+                Authorizable auth = it.next();
 
-                String msg = "GroupAdmin cannot remove members of other user unless he/she is user-admin.";
-                assertFalse(msg, gr.removeMember(auth));
+                String msg = "GroupAdmin must be able to modify group membership.";
+                assertTrue(msg, gr.removeMember(auth));
+                save(uSession);
             } else {
-                throw new RepositoryException("Must contain members....");
+                fail("Must contain members....");
             }
 
         } catch (AccessDeniedException e) {
@@ -367,6 +391,7 @@
             }
             if (nUs != null) nUs.remove();
             if (nUs2 != null) nUs2.remove();
+            save(superuser);
         }
     }
 
@@ -377,19 +402,23 @@
         try {
             // let superuser create a group and a user a make user member of group
             nGr = userMgr.createGroup(getTestPrincipal());
+            save(superuser);
             Principal p = getTestPrincipal();
             nUs = userMgr.createUser(p.getName(), buildPassword(p));
             nGr.addMember(nUs);
+            save(superuser);
 
-            Group gr = (Group) getUserManager(uSession).getAuthorizable(nGr.getID());
+            UserManager umgr = getUserManager(uSession);
+            Group gr = (Group) umgr.getAuthorizable(nGr.getID());
 
             // since only 1 single member -> removal rather than modification.
             // since uSession is not user-admin this must fail.
-            for (Iterator it = gr.getMembers(); it.hasNext();) {
-                Authorizable auth = (Authorizable) it.next();
+            for (Iterator<Authorizable> it = gr.getMembers(); it.hasNext();) {
+                Authorizable auth = it.next();
 
-                String msg = "GroupAdmin cannot remove members of groups unless he/she is UserAdmin.";
-                assertFalse(msg, gr.removeMember(auth));
+                String msg = "GroupAdmin must be able to remove a member of another group.";
+                assertTrue(msg, gr.removeMember(auth));
+                save(uSession);
             }
         } catch (AccessDeniedException e) {
             // fine as well.
@@ -398,6 +427,7 @@
             if (nGr != null && nUs != null) nGr.removeMember(nUs);
             if (nGr != null) nGr.remove();
             if (nUs != null) nUs.remove();
+            save(superuser);
         }
     }
 
@@ -410,6 +440,7 @@
         assertFalse(impers.allows(buildSubject(selfPrinc)));
         try {
             assertFalse(impers.grantImpersonation(selfPrinc));
+            save(uSession);
         } catch (AccessDeniedException e) {
             // ok.
         }
@@ -420,6 +451,7 @@
         assertFalse(impers.allows(buildSubject(selfPrinc)));
         try {
             assertFalse(impers.grantImpersonation(selfPrinc));
+            save(uSession);
         } catch (AccessDeniedException e) {
             // ok.
         }
@@ -432,14 +464,32 @@
         try {
             Principal p = getTestPrincipal();
             gr = umgr.createGroup(p);
+            save(uSession);
 
+            // must be visible for the user-mgr attached to another session.
             Authorizable az = userMgr.getAuthorizable(gr.getID());
             assertNotNull(az);
             assertEquals(gr.getID(), az.getID());
         } finally {
             if (gr != null) {
                 gr.remove();
+                save(uSession);
             }
         }
     }
+
+    public void testAddCustomNodeToGroupAdminNode() throws RepositoryException, NotExecutableException {
+        UserManager umgr = getUserManager(uSession);
+        Node groupAdminNode = ((AuthorizableImpl) umgr.getAuthorizable(grID)).getNode();
+        Session s = groupAdminNode.getSession();
+
+        Node n = groupAdminNode.addNode(nodeName1, ntUnstructured);
+        save(uSession);
+
+        n.setProperty(propertyName1, s.getValueFactory().createValue("anyValue"));
+        save(uSession);
+
+        n.remove();
+        save(uSession);
+    }
 }
\ No newline at end of file



Mime
View raw message