Return-Path: Delivered-To: apmail-jackrabbit-commits-archive@www.apache.org Received: (qmail 65683 invoked from network); 5 Nov 2009 22:08:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 5 Nov 2009 22:08:50 -0000 Received: (qmail 56502 invoked by uid 500); 5 Nov 2009 22:08:50 -0000 Delivered-To: apmail-jackrabbit-commits-archive@jackrabbit.apache.org Received: (qmail 56431 invoked by uid 500); 5 Nov 2009 22:08:50 -0000 Mailing-List: contact commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list commits@jackrabbit.apache.org Received: (qmail 56422 invoked by uid 99); 5 Nov 2009 22:08:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Nov 2009 22:08:50 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=BAYES_00 X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Nov 2009 22:08:45 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 0DBD123888AD; Thu, 5 Nov 2009 22:08:25 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r833210 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Date: Thu, 05 Nov 2009 22:08:24 -0000 To: commits@jackrabbit.apache.org From: angela@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20091105220825.0DBD123888AD@eris.apache.org> Author: angela Date: Thu Nov 5 22:08:24 2009 New Revision: 833210 URL: http://svn.apache.org/viewvc?rev=833210&view=rev Log: JCR-2386 - wrong eval order of access control entries within a single node Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=833210&r1=833209&r2=833210&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java Thu Nov 5 22:08:24 2009 @@ -581,6 +581,10 @@ PrincipalManager principalMgr = sImpl.getPrincipalManager(); AccessControlManager acMgr = sImpl.getAccessControlManager(); + // first collect aces present on the given aclNode. + List gaces = new ArrayList(); + List uaces = new ArrayList(); + NodeIterator itr = aclNode.getNodes(); while (itr.hasNext()) { NodeImpl aceNode = (NodeImpl) itr.nextNode(); @@ -605,13 +609,26 @@ aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE), sImpl.getValueFactory()); // add it to the proper list (e.g. separated by principals) + /** + * NOTE: access control entries must be collected in reverse + * order in order to assert proper evaluation. + */ if (princ instanceof Group) { - groupAces.add(ace); + gaces.add(0, ace); } else { - userAces.add(ace); + uaces.add(0, ace); } } } + + // add the lists of aces to the overall lists that contain the entries + // throughout the hierarchy. + if (!gaces.isEmpty()) { + groupAces.addAll(gaces); + } + if (!uaces.isEmpty()) { + userAces.addAll(uaces); + } } private Iterator iterator() { Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=833210&r1=833209&r2=833210&view=diff ============================================================================== --- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original) +++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Thu Nov 5 22:08:24 2009 @@ -18,11 +18,13 @@ import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; import org.apache.jackrabbit.api.security.user.Group; +import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.core.SessionImpl; import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest; import org.apache.jackrabbit.core.security.authorization.AccessControlConstants; import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry; import org.apache.jackrabbit.core.security.principal.EveryonePrincipal; +import org.apache.jackrabbit.core.security.TestPrincipal; import org.apache.jackrabbit.test.NotExecutableException; import javax.jcr.AccessDeniedException; @@ -37,6 +39,7 @@ import java.security.Principal; import java.util.Collections; import java.util.Map; +import java.util.UUID; /** * EvaluationTest... @@ -263,4 +266,76 @@ // result at 'child path' must be deny assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES))); } + + public void testMultipleGroupPermissionsOnNode() throws NotExecutableException, RepositoryException { + Group testGroup = getTestGroup(); + + /* create a second group the test user is member of */ + Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID()); + UserManager umgr = getUserManager(superuser); + Group group2 = umgr.createGroup(principal); + try { + group2.addMember(testUser); + if (!umgr.isAutoSave() && superuser.hasPendingChanges()) { + superuser.save(); + } + + /* add privileges for the Group the test-user is member of */ + Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES); + givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path)); + + withdrawPrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path)); + + /* + testuser must get the permissions/privileges inherited from + the group it is member of. + the denial of group2 must succeed + */ + String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ; + + AccessControlManager testAcMgr = getTestACManager(); + + assertFalse(getTestSession().hasPermission(path, actions)); + Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES); + assertFalse(testAcMgr.hasPrivileges(path, privs)); + } finally { + group2.remove(); + } + } + + public void testMultipleGroupPermissionsOnNode2() throws NotExecutableException, RepositoryException { + Group testGroup = getTestGroup(); + + /* create a second group the test user is member of */ + Principal principal = new TestPrincipal("testGroup" + UUID.randomUUID()); + UserManager umgr = getUserManager(superuser); + Group group2 = umgr.createGroup(principal); + + try { + group2.addMember(testUser); + if (!umgr.isAutoSave() && superuser.hasPendingChanges()) { + superuser.save(); + } + + /* add privileges for the Group the test-user is member of */ + Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES); + withdrawPrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path)); + + givePrivileges(path, group2.getPrincipal(), privileges, getRestrictions(superuser, path)); + + /* + testuser must get the permissions/privileges inherited from + the group it is member of. + the denial of group2 must succeed + */ + String actions = javax.jcr.Session.ACTION_SET_PROPERTY + "," + javax.jcr.Session.ACTION_READ; + + AccessControlManager testAcMgr = getTestACManager(); + assertTrue(getTestSession().hasPermission(path, actions)); + Privilege[] privs = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES); + assertTrue(testAcMgr.hasPrivileges(path, privs)); + } finally { + group2.remove(); + } + } } \ No newline at end of file