jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ju...@apache.org
Subject svn commit: r1202725 - in /jackrabbit/branches/2.2: ./ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/ jackrabbit-core/src/test/java/org/apache/jackrabbit/core/s...
Date Wed, 16 Nov 2011 14:47:50 GMT
Author: jukka
Date: Wed Nov 16 14:47:50 2011
New Revision: 1202725

URL: http://svn.apache.org/viewvc?rev=1202725&view=rev
Log:
2.2: Merged revision 1072087 (JCR-2883)

Added:
    jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
      - copied unchanged from r1072087, jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
Modified:
    jackrabbit/branches/2.2/   (props changed)
    jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
    jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
    jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
    jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
    jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java

Propchange: jackrabbit/branches/2.2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov 16 14:47:50 2011
@@ -3,4 +3,4 @@
 /jackrabbit/sandbox/JCR-1456:774917-886178
 /jackrabbit/sandbox/JCR-2170:812417-816332
 /jackrabbit/sandbox/tripod-JCR-2209:795441-795863
-/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1074140,1079314,1079317,1080186,1080540,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-1098964,1099033,1099172,1100242,1100286,1101046,110
 2262,1102268-1102270,1102299,1102601,1104027,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179548,1180922,1181712,1182281,1182667,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827
+/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1079314,1079317,1080186,1080540,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-1098964,1099033,1099172,1100242,1100286,110
 1046,1102262,1102268-1102270,1102299,1102601,1104027,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179548,1180922,1181712,1182281,1182667,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827

Modified: jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java?rev=1202725&r1=1202724&r2=1202725&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
Wed Nov 16 14:47:50 2011
@@ -1435,7 +1435,7 @@ public class NodeImpl extends ItemImpl i
         PathBuilder pb = new PathBuilder(getPrimaryPath());
         pb.addLast(srcName.getName(), srcName.getIndex());
         Path childPath = pb.getPath();
-        if (!acMgr.isGranted(childPath, Permission.ADD_NODE | Permission.REMOVE_NODE)) {
+        if (!acMgr.isGranted(childPath, Permission.MODIFY_CHILD_NODE_COLLECTION)) {
             String msg = "Not allowed to reorder child node " + sessionContext.getJCRPath(childPath)
+ ".";
             log.debug(msg);
             throw new AccessDeniedException(msg);
@@ -3574,10 +3574,17 @@ public class NodeImpl extends ItemImpl i
                     "Same name siblings not allowed: " + existing);
         }
 
-        // check permissions
+        // check permissions:
+        // 1. on the parent node the session must have permission to manipulate the child-entries
         AccessManager acMgr = sessionContext.getAccessManager();
-        if (!(acMgr.isGranted(getPrimaryPath(), Permission.REMOVE_NODE) &&
-                acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.ADD_NODE | Permission.NODE_TYPE_MNGMT)))
{
+        if (!acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.MODIFY_CHILD_NODE_COLLECTION))
{
+            String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
+            log.debug(msg);
+            throw new AccessDeniedException(msg);
+        }
+        // 2. in case of nt-changes the session must have permission to change
+        //    the primary node type on this node itself.
+        if (!nt.getName().equals(newTargetDef.getName()) && !(acMgr.isGranted(getPrimaryPath(),
Permission.NODE_TYPE_MNGMT))) {
             String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
             log.debug(msg);
             throw new AccessDeniedException(msg);

Modified: jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java?rev=1202725&r1=1202724&r2=1202725&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
Wed Nov 16 14:47:50 2011
@@ -25,29 +25,31 @@ public final class Permission {
 
     public static final int READ = 1;   
 
-    public static final int SET_PROPERTY = 2;
+    public static final int SET_PROPERTY = READ << 1;
 
-    public static final int ADD_NODE = 4;
+    public static final int ADD_NODE = SET_PROPERTY << 1;
 
-    public static final int REMOVE_NODE = 8;
+    public static final int REMOVE_NODE = ADD_NODE << 1;
 
-    public static final int REMOVE_PROPERTY = 16;
+    public static final int REMOVE_PROPERTY = REMOVE_NODE << 1;
 
-    public static final int READ_AC = 32;
+    public static final int READ_AC = REMOVE_PROPERTY << 1;
     
-    public static final int MODIFY_AC = 64;
+    public static final int MODIFY_AC = READ_AC << 1;
 
-    public static final int NODE_TYPE_MNGMT = 128;
+    public static final int NODE_TYPE_MNGMT = MODIFY_AC << 1;
 
-    public static final int VERSION_MNGMT = 256;
+    public static final int VERSION_MNGMT = NODE_TYPE_MNGMT << 1;
 
-    public static final int LOCK_MNGMT = 512;
+    public static final int LOCK_MNGMT = VERSION_MNGMT << 1;
 
-    public static final int LIFECYCLE_MNGMT = 1024;
+    public static final int LIFECYCLE_MNGMT = LOCK_MNGMT << 1;
 
-    public static final int RETENTION_MNGMT = 2048;
+    public static final int RETENTION_MNGMT = LIFECYCLE_MNGMT << 1;
 
-    public static final int ALL = (READ | SET_PROPERTY | ADD_NODE | REMOVE_NODE | REMOVE_PROPERTY
| READ_AC | MODIFY_AC | NODE_TYPE_MNGMT | VERSION_MNGMT | LOCK_MNGMT | LIFECYCLE_MNGMT | RETENTION_MNGMT);
+    public static final int MODIFY_CHILD_NODE_COLLECTION = RETENTION_MNGMT << 1;
+
+    public static final int ALL = (READ | SET_PROPERTY | ADD_NODE | REMOVE_NODE | REMOVE_PROPERTY
| READ_AC | MODIFY_AC | NODE_TYPE_MNGMT | VERSION_MNGMT | LOCK_MNGMT | LIFECYCLE_MNGMT | RETENTION_MNGMT
| MODIFY_CHILD_NODE_COLLECTION);
 
     /**
      * Returns those bits from <code>permissions</code> that are not present
in

Modified: jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java?rev=1202725&r1=1202724&r2=1202725&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
Wed Nov 16 14:47:50 2011
@@ -217,7 +217,9 @@ public final class PrivilegeRegistry {
     }
 
     /**
-     * Build the permissions granted by evaluating the given privileges.
+     * Build the permissions granted by evaluating the given privileges. Note,
+     * that only built-in privileges can be mapped to permissions. Any other
+     * privileges will be ignored.
      *
      * @param privs The privileges granted on the Node itself (for properties
      * the ACL of the direct ancestor).
@@ -255,6 +257,14 @@ public final class PrivilegeRegistry {
             if ((parentPrivs & ADD_CHILD_NODES) == ADD_CHILD_NODES) {
                 perm |= Permission.ADD_NODE;
             }
+
+            // modify_child_node_collection permission is granted through
+            // privileges on the parent
+            if ((parentPrivs & ADD_CHILD_NODES) == ADD_CHILD_NODES &&
+                    (parentPrivs & REMOVE_CHILD_NODES) == REMOVE_CHILD_NODES) {
+                perm |= Permission.MODIFY_CHILD_NODE_COLLECTION;
+            }
+
             /*
              remove_node is
              allowed: only if remove_child_nodes privilege is present on

Modified: jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java?rev=1202725&r1=1202724&r2=1202725&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
Wed Nov 16 14:47:50 2011
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.core.security.authorization;
 
+import org.apache.jackrabbit.api.JackrabbitNode;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.core.UserTransactionImpl;
@@ -991,21 +992,38 @@ public abstract class AbstractWriteTest 
         }
 
         // add 'remove_child_nodes' at 'path
-        // -> not sufficient for a reorder since 'remove_node' privilege is missing
-        //    on the target
+        // -> reorder must now succeed
         givePrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES), getRestrictions(superuser,
path));
+        n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+        testSession.save();
+    }
+
+    public void testRename() throws RepositoryException, NotExecutableException {
+        Session testSession = getTestSession();
+        Node child = testSession.getNode(childNPath);
         try {
-            n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+            ((JackrabbitNode) child).rename("rename");
             testSession.save();
-            fail("test session must not be allowed to reorder nodes.");
+            fail("test session must not be allowed to rename nodes.");
         } catch (AccessDeniedException e) {
             // success.
         }
 
-        // allow 'remove_node' at childNPath
-        // -> now reorder must succeed
-        givePrivileges(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE), getRestrictions(superuser,
childNPath));
-        n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+        // give 'add_child_nodes' and 'nt-management' privilege
+        // -> not sufficient privileges for a renaming of the child
+        givePrivileges(path, privilegesFromNames(new String[] {Privilege.JCR_ADD_CHILD_NODES,
Privilege.JCR_NODE_TYPE_MANAGEMENT}), getRestrictions(superuser, path));
+        try {
+            ((JackrabbitNode) child).rename("rename");
+            testSession.save();
+            fail("test session must not be allowed to rename nodes.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // add 'remove_child_nodes' at 'path
+        // -> rename of child must now succeed
+        givePrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES), getRestrictions(superuser,
path));
+        ((JackrabbitNode) child).rename("rename");
         testSession.save();
     }
 

Modified: jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java?rev=1202725&r1=1202724&r2=1202725&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
Wed Nov 16 14:47:50 2011
@@ -38,6 +38,7 @@ public class TestAll extends TestCase {
         suite.addTestSuite(PrivilegeRegistryTest.class);
         suite.addTestSuite(JackrabbitAccessControlListTest.class);
         suite.addTestSuite(GlobPatternTest.class);
+        suite.addTestSuite(PermissionTest.class);
 
         return suite;
     }



Mime
View raw message