jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Hartmann <andr...@apache.org>
Subject Managing access policies across workspaces
Date Fri, 27 Jun 2008 14:54:08 GMT
Hi Jackrabbit community,

considering a setup with multiple workspaces for separated authoring and 
live content, what would be the most promising approach to model access 
control policies?

Given that a future Jackrabbit release will support JSR-283-like access 
control entries, I'd assign an entry to a node in the authoring 
workspace (simplifying the Java syntax and JCR API):

       "/site/anniversary", anniversaryAuthors, { "jcr:write" });

BTW, is the scope of an access control entry the item it is assigned to, 
or the whole subtree?

Now comes the tricky part. What if I have a structure like this:


Let's assume that the /site/anniversary subtree is not live yet - it 
will be published on the day of the anniversary. I want to allow the 
anniversaryReviewers to publish anniversary content, but no permanent 
content. That means I'd have to assign the jcr:write privilege to a 
not-yet-existing node in the live workspace. Unfortunately, 
addAccessControlEntry() throws a PathNotFoundException if the node 
doesn't exist …

Tobias Bocanegra told me on dev@sling that (IIUC) the access control 
entries are not copied to the staging workspace if the staging node is 
updated, which makes perfect sense. I hope it will conform to the 
upcoming JSR-283 - I didn't find anything in the spec about this.

Thanks a lot in advance for any hints!

-- Andreas

Andreas Hartmann, CTO
BeCompany GmbH
Tel.: +41 (0) 43 818 57 01

View raw message