jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Michele <lars.mich...@tu-dortmund.de>
Subject Re: Groups Deny, DefaultAccessManager
Date Sun, 26 Apr 2009 12:56:34 GMT
Hi Ian,

just for clarification, I think the implementation is doing something
like this:
1. Try to get an ACL based on the user principal. If an ACL for the
principal is defined at the node (or one of its parents) use it. So
giving a user explicit access rights on the root node, you have to deny
them explicit for that user on subnodes, the user is not allowed to access.
2. If no ACL was found, try to find an ACL based on the group principals
the user is in and use it.
3. If no ACL was found that allows the desired action --> no access.

The AccessControlProviderInterface seems to be a good starting point for
implementing your own ACLs. But perhaps it would be sufficient for you
to change the methods in ACLTemplate to evaluate the permission the way
you want.


Ian Boston schrieb:
> Lars,
> Thank you, the explanation makes sense. Its the order independence of
> the ACL and the fact that everything is or'd together that makes a
> deny in group pointless, rather than an explicit design decision. The
> approach you suggest to achieving the private subfolder is perfectly
> workable.
> Presumably this policy is expressed inside the implementation of the
> AccessControlProvider where the ACL is compiled.
> Since this class is defined in the repository.xml would it be the
> right place extend or change the behavior *if* I wanted to ? ( I have
> some other use cases that may need to address if the standard impl
> doesnt cover them)
> Thanks
> Ian

View raw message