jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Boston <...@tfd.co.uk>
Subject Group denies
Date Sat, 04 Jul 2009 16:07:25 GMT

I am wondering the reasoning behind not allowing a deny for a set of  
permissions to be allowed on a group ?
In JR15
acl.ACLTemplate.addEntry()  (ACLTemplate.java#329) calls  
checkValidEntry at line 336 which at line 255 has

   // additional validation: a group may not have 'denied' permissions
         if (!isAllow && principal instanceof Group) {
             throw new AccessControlException("For group principals  
permissions can only be added but not denied.");

Which appears to be contrary to the advice given in [1], assuming CRX  
is using the same or similar code.


[1] http://dev.day.com/discussion-groups/content/lists/crx-yahoo/2009-02/2009-02-05__jcr_crx_ACL_inheritance_agrusell.html

View raw message