jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1558120 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/ oak-jcr/ oak-jcr/src/test/java/...
Date Tue, 14 Jan 2014 17:30:57 GMT
Author: angela
Date: Tue Jan 14 17:30:57 2014
New Revision: 1558120

URL: http://svn.apache.org/r1558120
Log:
    OAK-1223

Inconsistent entry filtering for ADD_NODE and REMOVE_NODE permission

Added:
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
  (with props)
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
    jackrabbit/oak/trunk/oak-jcr/pom.xml
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
Tue Jan 14 17:30:57 2014
@@ -236,7 +236,7 @@ final class CompiledPermissionImpl imple
 
     @Override
     public boolean isGranted(@Nonnull String path, long permissions) {
-        Iterator<PermissionEntry> it = getEntryIterator(new EntryPredicate(path));
+        Iterator<PermissionEntry> it = getEntryIterator(new EntryPredicate(path, Permissions.respectParentPermissions(permissions)));
         return hasPermissions(it, permissions, path);
     }
 
@@ -253,7 +253,7 @@ final class CompiledPermissionImpl imple
     //------------------------------------------------------------< private >---
 
     private boolean internalIsGranted(@Nonnull Tree tree, @Nullable PropertyState property,
long permissions) {
-        Iterator<PermissionEntry> it = getEntryIterator(new EntryPredicate(tree, property));
+        Iterator<PermissionEntry> it = getEntryIterator(tree, property, permissions);
         return hasPermissions(it, permissions, tree.getPath());
     }
 
@@ -265,9 +265,7 @@ final class CompiledPermissionImpl imple
             return false;
         }
 
-        boolean respectParent = (path != null) &&
-                (Permissions.includes(permissions, Permissions.ADD_NODE) ||
-                        Permissions.includes(permissions, Permissions.REMOVE_NODE));
+        boolean respectParent = (path != null) && Permissions.respectParentPermissions(permissions);
 
         long allows = (isReadable) ? Permissions.READ : Permissions.NO_PERMISSION;
         long denies = Permissions.NO_PERMISSION;
@@ -349,7 +347,7 @@ final class CompiledPermissionImpl imple
     private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
         EntryPredicate pred = (tree == null)
                 ? new EntryPredicate()
-                : new EntryPredicate(tree, null);
+                : new EntryPredicate(tree, null, false);
         Iterator<PermissionEntry> entries = getEntryIterator(pred);
 
         PrivilegeBits allowBits = PrivilegeBits.getInstance();
@@ -372,6 +370,11 @@ final class CompiledPermissionImpl imple
     }
 
     @Nonnull
+    private Iterator<PermissionEntry> getEntryIterator(@Nonnull Tree tree, @Nullable
PropertyState property, long permissions) {
+        return getEntryIterator(new EntryPredicate(tree, property, Permissions.respectParentPermissions(permissions)));
+    }
+
+    @Nonnull
     private Iterator<PermissionEntry> getEntryIterator(@Nonnull EntryPredicate predicate)
{
         Iterator<PermissionEntry> userEntries = userStore.getEntryIterator(predicate);
         Iterator<PermissionEntry> groupEntries = groupStore.getEntryIterator(predicate);
@@ -456,7 +459,7 @@ final class CompiledPermissionImpl imple
                 long permission = (isAcTree) ? Permissions.READ_ACCESS_CONTROL : Permissions.READ_NODE;
                 PrivilegeBits requiredBits = READ_BITS.get(permission);
 
-                Iterator<PermissionEntry> it = getIterator(null);
+                Iterator<PermissionEntry> it = getIterator(null, permission);
                 while (it.hasNext()) {
                     PermissionEntry entry = it.next();
                     if (entry.privilegeBits.includes(requiredBits)) {
@@ -481,7 +484,7 @@ final class CompiledPermissionImpl imple
             }
 
             long permission = (isAcTree) ? Permissions.READ_ACCESS_CONTROL : Permissions.READ_PROPERTY;
-            Iterator<PermissionEntry> it = getIterator(property);
+            Iterator<PermissionEntry> it = getIterator(property, permission);
             while (it.hasNext()) {
                 PermissionEntry entry = it.next();
                 if (entry.privilegeBits.includes(READ_BITS.get(permission))) {
@@ -505,17 +508,17 @@ final class CompiledPermissionImpl imple
 
         @Override
         public boolean isGranted(long permissions) {
-            return hasPermissions(getIterator(null), permissions, tree.getPath());
+            return hasPermissions(getIterator(null, permissions), permissions, tree.getPath());
         }
 
         @Override
         public boolean isGranted(long permissions, @Nonnull PropertyState property) {
-            return hasPermissions(getIterator(property), permissions, tree.getPath());
+            return hasPermissions(getIterator(property, permissions), permissions, tree.getPath());
         }
 
         //--------------------------------------------------------< private >---
-        private Iterator<PermissionEntry> getIterator(@Nullable PropertyState property)
{
-            EntryPredicate predicate = new EntryPredicate(tree, property);
+        private Iterator<PermissionEntry> getIterator(@Nullable PropertyState property,
long permissions) {
+            EntryPredicate predicate = new EntryPredicate(tree, property, Permissions.respectParentPermissions(permissions));
             return concat(new LazyIterator(this, true, predicate), new LazyIterator(this,
false, predicate));
         }
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/EntryPredicate.java
Tue Jan 14 17:30:57 2014
@@ -23,6 +23,7 @@ import javax.annotation.Nullable;
 import com.google.common.base.Predicate;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.commons.PathUtils;
 
 /**
  * Predicate used to evaluation if a given {@code PermissionEntry} matches
@@ -34,22 +35,35 @@ final class EntryPredicate implements Pr
     private final PropertyState property;
     private final String path;
 
-    public EntryPredicate(@Nonnull Tree tree, @Nullable PropertyState property) {
-        this.tree = tree;
-        this.property = property;
-        this.path = tree.getPath();
+    private final String parentPath;
+    private final Tree parent;
+
+    public EntryPredicate(@Nonnull Tree tree, @Nullable PropertyState property,
+                          boolean respectParent) {
+        this(tree, property, tree.getPath(), respectParent);
     }
 
-    public EntryPredicate(@Nonnull String path) {
-        this.tree = null;
-        this.property = null;
-        this.path = path;
+    public EntryPredicate(@Nonnull String path, boolean respectParent) {
+        this(null, null, path, respectParent);
     }
 
     public EntryPredicate() {
-        this.tree = null;
-        this.property = null;
-        this.path = null;
+        this(null, null, null, false);
+    }
+
+    private EntryPredicate(@Nullable Tree tree, @Nullable PropertyState property,
+                           @Nullable String path, boolean respectParent) {
+        this.tree = tree;
+        this.property = property;
+        this.path = path;
+
+        if (respectParent) {
+            parentPath = (path == null || "/".equals(path)) ? null : PathUtils.getParentPath(path);
+            parent = (tree == null || tree.isRoot()) ? null : tree.getParent();
+        } else {
+            parentPath = null;
+            parent = null;
+        }
     }
 
     @CheckForNull
@@ -63,11 +77,21 @@ final class EntryPredicate implements Pr
             return false;
         }
         if (tree != null) {
-            return entry.matches(tree, property);
+            return entry.matches(tree, property) || applyToParent(entry);
         } else if (path != null) {
-            return entry.matches(path);
+            return entry.matches(path) || applyToParent(entry);
         } else {
             return entry.matches();
         }
     }
+
+    private boolean applyToParent(@Nonnull PermissionEntry entry) {
+        if (parent != null) {
+            return entry.matches(parent, null);
+        } else if (parentPath != null) {
+            return entry.matches(parentPath);
+        } else {
+            return false;
+        }
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
Tue Jan 14 17:30:57 2014
@@ -214,6 +214,11 @@ public final class Permissions {
         return (permissions & permissionsToTest) == permissionsToTest;
     }
 
+    public static boolean respectParentPermissions(long permissions) {
+        return Permissions.includes(permissions, Permissions.ADD_NODE) ||
+                Permissions.includes(permissions, Permissions.REMOVE_NODE);
+    }
+
      /**
       * Returns those bits from {@code permissions} that are not present in
       * the {@code otherPermissions}, i.e. subtracts the other permissions

Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Tue Jan 14 17:30:57 2014
@@ -116,8 +116,6 @@
       org.apache.jackrabbit.oak.jcr.security.authorization.CopyTest#testCopyInvisibleProperty
       <!-- OAK-920 -->
       org.apache.jackrabbit.oak.jcr.security.authorization.CopyTest#testCopyInvisibleAcContent
      <!-- OAK-920 -->
 
-      org.apache.jackrabbit.oak.jcr.security.authorization.SessionMoveTest#testMoveAddSubTreeWithRestriction
<!-- OAK-1223 -->
-
       <!-- Query -->
       org.apache.jackrabbit.test.api.query.ElementTest#testElementTestNameTestSomeNTWithSNS
         <!-- OAK-203 -->
       org.apache.jackrabbit.test.api.query.SaveTest#testItemExistsException             
            <!-- OAK-203 -->

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/SessionMoveTest.java
Tue Jan 14 17:30:57 2014
@@ -25,7 +25,6 @@ import javax.jcr.security.Privilege;
 
 import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
 import org.apache.jackrabbit.util.Text;
-import org.junit.Ignore;
 import org.junit.Test;
 
 /**
@@ -141,6 +140,29 @@ public class SessionMoveTest extends Abs
     }
 
     @Test
+    public void testMoveRemoveSubTreeWithRestriction2() throws Exception {
+            /* allow READ/WRITE privilege for testUser at 'path' */
+        allow(path, testUser.getPrincipal(), readWritePrivileges);
+            /* deny REMOVE_NODE privileges at subtree. */
+        deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_CHILD_NODES), createGlobRestriction("*/"
+ Text.getName(childNPath)));
+
+        assertTrue(testSession.nodeExists(childNPath));
+        assertTrue(testSession.hasPermission(childNPath, Session.ACTION_REMOVE));
+        assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_ADD_NODE));
+
+        testSession.move(childNPath, childNPath2 + "/dest");
+        Node dest = testSession.getNode(childNPath2 + "/dest");
+        dest.getNode(nodeName3).remove();
+
+        try {
+            testSession.save();
+            fail("Removing child node must be denied.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    @Test
     public void testMoveAndAddSubTree() throws Exception {
         allow(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES));
         allow(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE));
@@ -199,7 +221,6 @@ public class SessionMoveTest extends Abs
         testSession.save();
     }
 
-    @Ignore("OAK-1223") // FIXME: OAK-1223
     @Test
     public void testMoveAddSubTreeWithRestriction() throws Exception {
         /* allow READ/WRITE privilege for testUser at 'path' */

Added: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java?rev=1558120&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
(added)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
Tue Jan 14 17:30:57 2014
@@ -0,0 +1,167 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.Session;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.test.api.util.Text;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * WriteRestrictionTest: tests add and remove node in combination with glob restrictions.
+ */
+public class WriteRestrictionTest extends AbstractEvaluationTest {
+
+    private String nodePath3;
+
+    @Override
+    @Before
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        Node node3 = superuser.getNode(childNPath).addNode(nodeName3);
+        nodePath3 = node3.getPath();
+        superuser.save();
+        testSession.refresh(false);
+    }
+
+    @Test
+    public void testGlobRestriction() throws Exception {
+        String writeActions = getActions(Session.ACTION_ADD_NODE, Session.ACTION_REMOVE,
Session.ACTION_SET_PROPERTY);
+
+        // permissions defined @ path
+        // restriction: grants write priv to all nodeName3 children
+        allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
+
+        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+        assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_SET_PROPERTY));
+
+        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+        assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_SET_PROPERTY));
+
+        assertTrue(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+        assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_SET_PROPERTY));
+        assertFalse(testSession.hasPermission(childNPath2, writeActions)); // removal req.
rmchildnode privilege on parent.
+
+        assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+    }
+
+    @Test
+    public void testGlobRestriction2() throws Exception {
+
+        Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
+
+        // permissions defined @ path
+        // restriction: grants write-priv to nodeName3 grand-children but not direct nodeName3
children.
+        allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
+
+        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+        assertFalse(testAcMgr.hasPrivileges(path, rmNode));
+        assertFalse(testAcMgr.hasPrivileges(childNPath, addNode));
+        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+        assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+    }
+
+    @Test
+    public void testGlobRestriction3() throws Exception {
+        Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+
+        // permissions defined @ path
+        // restriction: allows write to nodeName3 children
+        allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
+        // and grant add-node only at path (no glob restriction)
+        allow(path, addNode);
+
+        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+        assertTrue(testAcMgr.hasPrivileges(path, addNode));
+
+        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+        assertTrue(testAcMgr.hasPrivileges(childNPath, addNode));
+
+        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+        assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+    }
+
+    @Test
+    public void testGlobRestriction4() throws Exception {
+        Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
+
+        allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
+        deny(childNPath2, addNode);
+
+        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
+        assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_REMOVE));
+        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
+        assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_REMOVE));
+        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
+        assertTrue(testAcMgr.hasPrivileges(nodePath3, repWritePrivileges));
+    }
+
+    @Test
+    public void testRemoveSubTreeWithRestriction() throws Exception {
+        /* allow READ/WRITE privilege for testUser at 'path' */
+        allow(path, testUser.getPrincipal(), readWritePrivileges);
+        /* deny REMOVE_NODE privileges at subtree. */
+        deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_NODE), createGlobRestriction("*/"
+ nodeName3));
+
+        testSession.getNode(childNPath).getNode(nodeName3).remove();
+        try {
+            testSession.save();
+            fail("Removing child node must be denied.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testRemoveSubTreeWithRestriction2() throws Exception {
+        /* allow READ/WRITE privilege for testUser at 'path' */
+        allow(path, testUser.getPrincipal(), readWritePrivileges);
+        /* deny REMOVE_NODE privileges at subtree. */
+        deny(path, privilegesFromName(PrivilegeConstants.JCR_REMOVE_CHILD_NODES), createGlobRestriction("*/"
+ Text.getName(childNPath)));
+
+        testSession.getNode(childNPath).getNode(nodeName3).remove();
+        try {
+            testSession.save();
+            fail("Removing child node must be denied.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+
+    @Test
+    public void testAddSubTreeWithRestriction() throws Exception {
+        /* allow READ/WRITE privilege for testUser at 'path' */
+        allow(path, testUser.getPrincipal(), readWritePrivileges);
+        /* deny ADD_CHILD_NODES privileges at subtree. */
+        deny(path, privilegesFromName(PrivilegeConstants.JCR_ADD_CHILD_NODES), createGlobRestriction("*/"+nodeName3));
+
+        Node node4 = testSession.getNode(nodePath3).addNode(nodeName4);
+        try {
+            testSession.save();
+            fail("Adding child node must be denied.");
+        } catch (AccessDeniedException e) {
+            // success
+        }
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteRestrictionTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java?rev=1558120&r1=1558119&r2=1558120&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteTest.java
Tue Jan 14 17:30:57 2014
@@ -519,94 +519,6 @@ public class WriteTest extends AbstractE
     }
 
     @Test
-    public void testGlobRestriction() throws Exception {
-        Node child = superuser.getNode(childNPath).addNode(nodeName3);
-        superuser.save();
-        String childchildPath = child.getPath();
-
-        String writeActions = getActions(Session.ACTION_ADD_NODE, Session.ACTION_REMOVE,
Session.ACTION_SET_PROPERTY);
-
-        // permissions defined @ path
-        // restriction: grants write priv to all nodeName3 children
-        allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
-
-        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
-        assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_SET_PROPERTY));
-
-        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
-        assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_SET_PROPERTY));
-
-        assertTrue(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
-        assertTrue(testSession.hasPermission(childNPath2, Session.ACTION_SET_PROPERTY));
-        assertFalse(testSession.hasPermission(childNPath2, writeActions)); // removal req.
rmchildnode privilege on parent.
-
-        assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
-    }
-
-    @Test
-    public void testGlobRestriction2() throws Exception {
-        Node child = superuser.getNode(childNPath).addNode(nodeName3);
-        superuser.save();
-        String childchildPath = child.getPath();
-
-        Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
-        Privilege[] rmNode = privilegesFromName(Privilege.JCR_REMOVE_NODE);
-
-        // permissions defined @ path
-        // restriction: grants write-priv to nodeName3 grand-children but not direct nodeName3
children.
-        allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
-
-        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
-        assertFalse(testAcMgr.hasPrivileges(path, rmNode));
-        assertFalse(testAcMgr.hasPrivileges(childNPath, addNode));
-        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
-        assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
-    }
-
-    @Test
-    public void testGlobRestriction3() throws Exception {
-        Node child = superuser.getNode(childNPath).addNode(nodeName3);
-        superuser.save();
-        String childchildPath = child.getPath();
-
-        Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
-
-        // permissions defined @ path
-        // restriction: allows write to nodeName3 children
-        allow(path, repWritePrivileges, createGlobRestriction("/*/"+nodeName3));
-        // and grant add-node only at path (no glob restriction)
-        allow(path, addNode);
-
-        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
-        assertTrue(testAcMgr.hasPrivileges(path, addNode));
-
-        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
-        assertTrue(testAcMgr.hasPrivileges(childNPath, addNode));
-
-        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
-        assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
-    }
-
-    @Test
-    public void testGlobRestriction4() throws Exception {
-        Node child = superuser.getNode(childNPath).addNode(nodeName3);
-        superuser.save();
-        String childchildPath = child.getPath();
-
-        Privilege[] addNode = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
-
-        allow(path, repWritePrivileges, createGlobRestriction("/*"+nodeName3));
-        deny(childNPath2, addNode);
-
-        assertFalse(testAcMgr.hasPrivileges(path, repWritePrivileges));
-        assertFalse(testSession.hasPermission(path, javax.jcr.Session.ACTION_REMOVE));
-        assertFalse(testAcMgr.hasPrivileges(childNPath, repWritePrivileges));
-        assertFalse(testSession.hasPermission(childNPath, javax.jcr.Session.ACTION_REMOVE));
-        assertFalse(testAcMgr.hasPrivileges(childNPath2, repWritePrivileges));
-        assertTrue(testAcMgr.hasPrivileges(childchildPath, repWritePrivileges));
-    }
-
-    @Test
     public void testWriteIfReadingParentIsDenied() throws Exception {
         /* deny READ/WRITE privilege for testUser at 'path' */
         deny(path, testUser.getPrincipal(), readWritePrivileges);



Mime
View raw message