[ https://issues.apache.org/jira/browse/JCR-2488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12831338#action_12831338 ] 

angela commented on JCR-2488:
-----------------------------

not sure if i like this idea. it's the behavior of this ACLProvider that the entries inherited from the parent nodes
are respected.
however, i'm currently working on the performance of ac evaluation and i planned to moved the collection of effective ACEs to a top level class. i could easily add means so you can provide your own collector that doesn't walk up the hierarchy.

> Add the ability to disable inheriting ancestor ACLs
> ---------------------------------------------------
>
>                 Key: JCR-2488
>                 URL: https://issues.apache.org/jira/browse/JCR-2488
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.0.0
>            Reporter: Weston Bustraan
>            Priority: Minor
>
> The current ACL implementation will walk the tree from the item being accessed, up to the root, collecting ACL entries for all the ancestors. With this system, there is no easy way to restrict access to subnodes except by adding DENY entries to negate the entries inherited from the parent nodes.
> I'd like to request a way to turn this behavior off either at a node level or global level.
> The place where recursion is happening is in org.apache.jackrabbit.core.security.authorization.acl.ACLProvider$Entries.collectEntries(NodeImpl node). Inside this method, it could perhaps check a global parameter or the existence of property of the ACL policy node to determine whether to recurse up the tree.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.