jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tri...@apache.org
Subject svn commit: r1700513 - in /jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization: AbstractEvaluationTest.java acl/RestrictionTest.java acl/TestAll.java
Date Tue, 01 Sep 2015 12:07:31 GMT
Author: tripod
Date: Tue Sep  1 12:07:31 2015
New Revision: 1700513

URL: http://svn.apache.org/r1700513
Log:
OAK-3324 hasPermission does not reflect actual behavior with restrictions

- add oak test for comparison

Added:
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java
      - copied, changed from r1700496, jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java
Modified:
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java?rev=1700513&r1=1700512&r2=1700513&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEvaluationTest.java
Tue Sep  1 12:07:31 2015
@@ -184,7 +184,7 @@ public abstract class AbstractEvaluation
         return modifyPrivileges(path, testUser.getPrincipal(), privilegesFromName(privilege),
isAllow, getRestrictions(superuser, path));
     }
 
-    private JackrabbitAccessControlList modifyPrivileges(String path, Principal principal,
Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws NotExecutableException,
RepositoryException {
+    protected JackrabbitAccessControlList modifyPrivileges(String path, Principal principal,
Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws NotExecutableException,
RepositoryException {
         JackrabbitAccessControlList tmpl = getPolicy(acMgr, path, principal);
         tmpl.addEntry(principal, privileges, isAllow, restrictions);
         

Copied: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java
(from r1700496, jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java)
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java?p2=jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java&p1=jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java&r1=1700496&r2=1700513&rev=1700513&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/RestrictionTest.java
Tue Sep  1 12:07:31 2015
@@ -16,49 +16,52 @@
  */
 package org.apache.jackrabbit.core.security.authorization.acl;
 
-import org.apache.jackrabbit.JcrConstants;
-import org.apache.jackrabbit.api.JackrabbitSession;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.api.security.user.Authorizable;
-import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest;
-import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
-import org.apache.jackrabbit.test.NotExecutableException;
-import org.junit.Test;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.Node;
-import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.Value;
-import javax.jcr.ValueFactory;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest;
+import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.value.StringValue;
 
 /**
  * <code>ReadTest</code>...
  */
-public class ReadTest extends AbstractEvaluationTest {
+public class RestrictionTest extends AbstractEvaluationTest {
 
-    private String path;
-    private String childNPath;
+    private String path_root;
+    private String path_a;
+    private String path_b;
+    private String path_c;
+    private String path_d;
 
     @Override
     protected void setUp() throws Exception {
         super.setUp();
 
         // create some nodes below the test root in order to apply ac-stuff
-        Node node = testRootNode.addNode(nodeName1, testNodeType);
-        Node cn1 = node.addNode(nodeName2, testNodeType);
+        Node a = testRootNode.addNode("a", testNodeType);
+        Node b = a.addNode("b", testNodeType);
+        Node c = b.addNode("c", testNodeType);
+        Node d = c.addNode("d", testNodeType);
         superuser.save();
 
-        path = node.getPath();
-        childNPath = cn1.getPath();
+        path_root = testRootNode.getPath();
+        path_a = a.getPath();
+        path_b = b.getPath();
+        path_c = c.getPath();
+        path_d = d.getPath();
     }
 
     @Override
@@ -76,428 +79,56 @@ public class ReadTest extends AbstractEv
         return Collections.emptyMap();
     }
 
-    public void testReadDenied() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-
-        /* deny READ privilege for testUser at 'path' */
-        withdrawPrivileges(path, privileges, getRestrictions(superuser, path));
-        /*
-         allow READ privilege for testUser at 'childNPath'
-         */
-        givePrivileges(childNPath, privileges, getRestrictions(superuser, childNPath));
-
-
-        Session testSession = getTestSession();
-
-        assertFalse(testSession.nodeExists(path));
-        assertTrue(testSession.nodeExists(childNPath));
-        Node n = testSession.getNode(childNPath);
-        n.getDefinition();
-    }
-
-    public void testDenyUserAllowGroup() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-         deny READ privilege for testUser at 'path'
-         */
-        withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
path));
-        /*
-         allow READ privilege for group at 'path'
-         */
-        givePrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(path));
-    }
-
-    public void testAllowGroupDenyUser() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-        allow READ privilege for group at 'path'
-        */
-        givePrivileges(path, group, privileges, getRestrictions(superuser, path));
-        /*
-        deny READ privilege for testUser at 'path'
-        */
-        withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
path));
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(path));
-    }
-
-    public void testAllowUserDenyGroup() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-         allow READ privilege for testUser at 'path'
-         */
-        givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
path));
-        /*
-         deny READ privilege for group at 'path'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        Session testSession = getTestSession();
-        assertTrue(testSession.nodeExists(path));
-    }
-
-    public void testDenyGroupAllowUser() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-         deny READ privilege for group at 'path'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        /*
-         allow READ privilege for testUser at 'path'
-         */
-        givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
path));
-
-        Session testSession = getTestSession();
-        assertTrue(testSession.nodeExists(path));
-    }
-
-    public void testDenyGroupAllowEveryone() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-        Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
-        /*
-         deny READ privilege for group at 'path'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        /*
-         allow READ privilege for everyone at 'path'
-         */
-        givePrivileges(path, everyone, privileges, getRestrictions(superuser, path));
-
-        Session testSession = getTestSession();
-        assertTrue(testSession.nodeExists(path));
-    }
-
-    public void testAllowEveryoneDenyGroup() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-        Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
-        /*
-         allow READ privilege for everyone at 'path'
-         */
-        givePrivileges(path, everyone, privileges, getRestrictions(superuser, path));
-
-        /*
-         deny READ privilege for group at 'path'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(path));
-    }
-
-    public void testDenyGroupPathAllowEveryoneChildPath() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-        Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
-        /*
-         deny READ privilege for group at 'path'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        /*
-         allow READ privilege for everyone at 'childNPath'
-         */
-        givePrivileges(path, everyone, privileges, getRestrictions(superuser, childNPath));
-
-        Session testSession = getTestSession();
-        assertTrue(testSession.nodeExists(childNPath));
-    }
-
-    public void testAllowEveryonePathDenyGroupChildPath() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-        Principal everyone = ((JackrabbitSession) superuser).getPrincipalManager().getEveryone();
-
-        /*
-         allow READ privilege for everyone at 'path'
-         */
-        givePrivileges(path, everyone, privileges, getRestrictions(superuser, path));
-
-        /*
-         deny READ privilege for group at 'childNPath'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, childNPath));
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(childNPath));
-    }
-
-    public void testAllowUserPathDenyGroupChildPath() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-         allow READ privilege for testUser at 'path'
-         */
-        givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
path));
-        /*
-         deny READ privilege for group at 'childPath'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, childNPath));
-
-        Session testSession = getTestSession();
-        assertTrue(testSession.nodeExists(childNPath));
-    }
-
-    public void testDenyGroupPathAllowUserChildPath() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-         deny READ privilege for group at 'path'
-         */
-        withdrawPrivileges(path, group, privileges, getRestrictions(superuser, path));
-
-        /*
-         allow READ privilege for testUser at 'childNPath'
-         */
-        givePrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
childNPath));
-
-        Session testSession = getTestSession();
-        assertTrue(testSession.nodeExists(childNPath));
-    }
-
-    public void testDenyUserPathAllowGroupChildPath() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-         deny READ privilege for testUser at 'path'
-         */
-        withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
path));
-        /*
-         allow READ privilege for group at 'childNPath'
-         */
-        givePrivileges(path, group, privileges, getRestrictions(superuser, childNPath));
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(childNPath));
-    }
-
-    public void testAllowGroupPathDenyUserChildPath() throws Exception {
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-        Principal group = getTestGroup().getPrincipal();
-
-        /*
-        allow READ privilege for everyone at 'path'
-        */
-        givePrivileges(path, group, privileges, getRestrictions(superuser, path));
-        /*
-        deny READ privilege for testUser at 'childNPath'
-        */
-        withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser,
childNPath));
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(childNPath));
-    }
-
-    public void testGlobRestriction() throws Exception {
-        Session testSession = getTestSession();
-        AccessControlManager testAcMgr = getTestACManager();
-        ValueFactory vf = superuser.getValueFactory();
-        /*
-          precondition:
-          testuser must have READ-only permission on test-node and below
-        */
-        checkReadOnly(path);
-        checkReadOnly(childNPath);
-
-        Privilege[] read = privilegesFromName(Privilege.JCR_READ);
-
-        Map<String, Value> restrictions = new HashMap<String, Value>(getRestrictions(superuser,
path));
-        restrictions.put(AccessControlConstants.P_GLOB.toString(), vf.createValue("*/"+jcrPrimaryType));
-
-        withdrawPrivileges(path, read, restrictions);
-
-        assertTrue(testAcMgr.hasPrivileges(path, read));
-        assertTrue(testSession.hasPermission(path, javax.jcr.Session.ACTION_READ));
-        testSession.getNode(path);
-
-        assertTrue(testAcMgr.hasPrivileges(childNPath, read));
-        assertTrue(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_READ));
-        testSession.getNode(childNPath);
-
-        String propPath = path + "/" + jcrPrimaryType;
-        assertFalse(testSession.hasPermission(propPath, javax.jcr.Session.ACTION_READ));
-        assertFalse(testSession.propertyExists(propPath));
-
-        propPath = childNPath + "/" + jcrPrimaryType;
-        assertFalse(testSession.hasPermission(propPath, javax.jcr.Session.ACTION_READ));
-        assertFalse(testSession.propertyExists(propPath));
-    }
-
-    /**
-     * @see <a href="https://issues.apache.org/jira/browse/OAK-2412">OAK-2412</a>
-     */
-    @Test
-    public void testEmptyGlobRestriction()throws Exception{
-        Node grandchild = superuser.getNode(childNPath).addNode("child");
-        String ccPath = grandchild.getPath();
-        superuser.save();
-
-        // first deny access to 'path' (read-access is granted in the test setup)
-        Privilege[] read = privilegesFromName(Privilege.JCR_READ);
-        withdrawPrivileges(path, read, Collections.EMPTY_MAP);
-
-        Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(path));
-        assertFalse(canGetNode(testSession, path));
-        assertFalse(testSession.nodeExists(childNPath));
-        assertFalse(canGetNode(testSession, childNPath));
-        assertFalse(testSession.nodeExists(ccPath));
-        assertFalse(canGetNode(testSession, ccPath));
-        assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-
-        Map<String, Value> emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser,
childNPath));
-        emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-
-        givePrivileges(childNPath, read, emptyStringRestriction);
-        assertFalse(testSession.nodeExists(path));
-        assertFalse(canGetNode(testSession, path));
-        assertTrue(testSession.nodeExists(childNPath));
-        assertTrue(canGetNode(testSession, childNPath));
-        assertFalse(testSession.nodeExists(ccPath));
-        assertFalse(canGetNode(testSession, ccPath));
-        assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-
-        givePrivileges(ccPath, read, Collections.EMPTY_MAP);
-        assertTrue(testSession.nodeExists(ccPath));
-        assertTrue(canGetNode(testSession, ccPath));
-        assertTrue(testSession.propertyExists(ccPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
+    private void addEntry(String path, boolean grant, String restriction, String... privilegeNames)
throws Exception {
+        if (restriction.length() > 0) {
+            Map<String, Value> rs = new HashMap<String, Value>();
+            rs.put("rep:glob", new StringValue(restriction));
+            modifyPrivileges(path, testUser.getPrincipal(), AccessControlUtils.privilegesFromNames(acMgr,
privilegeNames), grant, rs);
+        } else {
+            modifyPrivileges(path, testUser.getPrincipal(), AccessControlUtils.privilegesFromNames(acMgr,
privilegeNames), grant, Collections.<String, Value>emptyMap());
+        }
     }
 
     /**
-     * @see <a href="https://issues.apache.org/jira/browse/OAK-2412">OAK-2412</a>
+     * Tests if the restriction are active at the proper place
      */
-    @Test
-    public void testEmptyGlobRestriction2()throws Exception{
-        Node grandchild = superuser.getNode(childNPath).addNode("child");
-        String ccPath = grandchild.getPath();
-        superuser.save();
-
-        // first deny access to 'path' (read-access is granted in the test setup)
-        Privilege[] read = privilegesFromName(Privilege.JCR_READ);
-        withdrawPrivileges(path, read, Collections.EMPTY_MAP);
+    public void testHasPermissionWithRestrictions() throws Exception {
+        // create permissions
+        // allow rep:write      /testroot
+        // deny  jcr:removeNode /testroot/a  glob=*/c
+        // allow jcr:removeNode /testroot/a  glob=*/b
+        // allow jcr:removeNode /testroot/a  glob=*/c/*
+
+        addEntry(path_root, true, "", Privilege.JCR_READ, Privilege.JCR_WRITE);
+        addEntry(path_a, false, "*/c", Privilege.JCR_REMOVE_NODE);
+        addEntry(path_a, true, "*/b", Privilege.JCR_REMOVE_NODE);
+        addEntry(path_a, true, "*/c/*", Privilege.JCR_REMOVE_NODE);
 
         Session testSession = getTestSession();
-        assertFalse(testSession.nodeExists(path));
-        assertFalse(canGetNode(testSession, path));
-        assertFalse(testSession.nodeExists(childNPath));
-        assertFalse(canGetNode(testSession, childNPath));
-        assertFalse(testSession.nodeExists(ccPath));
-        assertFalse(canGetNode(testSession, ccPath));
-        assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-
-        Map<String, Value> emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser,
path));
-        emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-
-        givePrivileges(path, read, emptyStringRestriction);
-        assertTrue(testSession.nodeExists(path));
-        assertTrue(canGetNode(testSession, path));
-        assertFalse(testSession.nodeExists(childNPath));
-        assertFalse(canGetNode(testSession, childNPath));
-        assertFalse(testSession.nodeExists(ccPath));
-        assertFalse(canGetNode(testSession, ccPath));
-        assertFalse(testSession.propertyExists(childNPath + '/' + JcrConstants.JCR_PRIMARYTYPE));
-    }
-
-    /**
-     * @see <a href="https://issues.apache.org/jira/browse/OAK-2412">OAK-2412</a>
-     */
-    @Test
-    public void testEmptyGlobRestriction3()throws Exception{
-        Node child2 = superuser.getNode(path).addNode("child2");
-        String childNPath2 = child2.getPath();
-        superuser.save();
-
         try {
-            Group group1 = getTestGroup();
-            Group group2 = getUserManager(superuser).createGroup("group2");
-            group2.addMember(testUser);
-            Group group3 = getUserManager(superuser).createGroup("group3");
-            superuser.save();
-
-            assertTrue(group1.isDeclaredMember(testUser));
-            assertTrue(group2.isDeclaredMember(testUser));
-            assertFalse(group3.isDeclaredMember(testUser));
-
-            Privilege[] read = privilegesFromName(Privilege.JCR_READ);
-
-            withdrawPrivileges(path, group1.getPrincipal(), read, Collections.EMPTY_MAP);
-            Map<String, Value> emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser,
path));
-            emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-            givePrivileges(path, group1.getPrincipal(), read, emptyStringRestriction);
-
-            withdrawPrivileges(childNPath, group2.getPrincipal(), read, Collections.EMPTY_MAP);
-            emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser,
childNPath));
-            emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-            givePrivileges(childNPath, group2.getPrincipal(), read, emptyStringRestriction);
-
-            withdrawPrivileges(childNPath2, group3.getPrincipal(), read, Collections.EMPTY_MAP);
-            emptyStringRestriction = new HashMap<String, Value>(getRestrictions(superuser,
childNPath2));
-            emptyStringRestriction.put(AccessControlConstants.P_GLOB.toString(), vf.createValue(""));
-            givePrivileges(childNPath2, group3.getPrincipal(), read, emptyStringRestriction);
-
-            // NOTE: test-session is created here and is expected to reflect the
-            // group membership changes made above.
-            Session testSession = getTestSession();
-            assertTrue(testSession.nodeExists(path));
-            assertTrue(testSession.nodeExists(childNPath));
-            assertFalse(testSession.nodeExists(childNPath2));
-        } finally {
-            Authorizable g2 = getUserManager(superuser).getAuthorizable("group2");
-            if (g2 != null) {
-                g2.remove();
-            }
-            Authorizable g3 = getUserManager(superuser).getAuthorizable("group3");
-            if (g3 != null) {
-                g3.remove();
-            }
-            superuser.save();
-        }
-    }
+            AccessControlManager acMgr = getAccessControlManager(testSession);
 
-    private static boolean canGetNode(Session session, String nodePath) throws RepositoryException
{
-        try {
-            session.getNode(nodePath);
-            return true;
-        } catch (PathNotFoundException e) {
-            return false;
+            assertFalse("user should not have remove node on /a/b/c",
+                    acMgr.hasPrivileges(path_c, AccessControlUtils.privilegesFromNames(acMgr,
Privilege.JCR_REMOVE_NODE)));
+            assertTrue("user should have remove node on /a/b",
+                    acMgr.hasPrivileges(path_b, AccessControlUtils.privilegesFromNames(acMgr,
Privilege.JCR_REMOVE_NODE)));
+            assertTrue("user should have remove node on /a/b/c/d",
+                    acMgr.hasPrivileges(path_d, AccessControlUtils.privilegesFromNames(acMgr,
Privilege.JCR_REMOVE_NODE)));
+
+            // should be able to remove /a/b/c/d
+            testSession.getNode(path_d).remove();
+            testSession.save();
+
+            try {
+                testSession.getNode(path_c).remove();
+                testSession.save();
+                fail("removing node on /a/b/c should fail");
+            } catch (RepositoryException e) {
+                // all ok
+            }
+        } finally {
+            testSession.logout();
         }
     }
 
-    public void testRemoveMixin() throws Exception {
-        Node n = superuser.getNode(path);
-        
-        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
-
-        withdrawPrivileges(path, privileges, getRestrictions(superuser, path));
-
-        assertTrue(n.hasNode("rep:policy"));
-        assertTrue(n.isNodeType("rep:AccessControllable"));
-
-        n.removeMixin("rep:AccessControllable");
-
-        superuser.save();
-        assertFalse(n.hasNode("rep:policy"));
-        assertFalse(n.isNodeType("rep:AccessControllable"));
-    }
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java?rev=1700513&r1=1700512&r2=1700513&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java
Tue Sep  1 12:07:31 2015
@@ -52,6 +52,7 @@ public class TestAll extends TestCase {
         suite.addTestSuite(ACLEditorTest.class);
         suite.addTestSuite(RepositoryOperationTest.class);
         suite.addTestSuite(MoveTest.class);
+        suite.addTestSuite(RestrictionTest.class);
 
         return suite;
     }



Mime
View raw message