jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2488) Add the ability to disable inheriting ancestor ACLs
Date Tue, 09 Mar 2010 08:53:27 GMT

    [ https://issues.apache.org/jira/browse/JCR-2488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842969#action_12842969

angela commented on JCR-2488:

> Do you know how soon custom collectors functionality might be available? 

i'll try to get it into jackrabbit 2.2.

regarding your proposal: i'm currently evaluating whether we could add restrictions to the
resource-based acl similar to the
restrictions present in the principal-based in order to limit the scope of items in the subtree
that are affected. if this turns out to 
be feasible, we may also allow to limit the scope of the acl to the resource it is applied
to, which i guess would match your requirement. i have no concrete ideas yet, but just wanted
to let you know.

> Add the ability to disable inheriting ancestor ACLs
> ---------------------------------------------------
>                 Key: JCR-2488
>                 URL: https://issues.apache.org/jira/browse/JCR-2488
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.0.0
>            Reporter: Weston Bustraan
>            Assignee: angela
>            Priority: Minor
>         Attachments: windows-xp-permission-inheritance.jpg
> The current ACL implementation will walk the tree from the item being accessed, up to
the root, collecting ACL entries for all the ancestors. With this system, there is no easy
way to restrict access to subnodes except by adding DENY entries to negate the entries inherited
from the parent nodes.
> I'd like to request a way to turn this behavior off either at a node level or global
> The place where recursion is happening is in org.apache.jackrabbit.core.security.authorization.acl.ACLProvider$Entries.collectEntries(NodeImpl
node). Inside this method, it could perhaps check a global parameter or the existence of property
of the ACL policy node to determine whether to recurse up the tree.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message