jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Boston <...@tfd.co.uk>
Subject Re: Controlling who can modify groups.
Date Tue, 04 Aug 2009 09:27:22 GMT

On 3 Aug 2009, at 18:44, Ian Boston wrote:

> Hi,
>
> Is there a standard way to control who can modify a group in the  
> Jackrabbit User Manager Impl.
>
> IIUC, there appears to be a Group (default GroupAdmin) that grant  
> the user write access to *all* groups, but no way of granting a user  
> administrative rights over a subset of all groups.
>
> Is this correct, or have a missed something ?
>
> Ian


On the basis that delegated administration of selected groups is not  
possible, would  the following patch be a "safe" thing to do in the  
UserAccessControlProvider. NB, this is *not* a request to patch  
Jackrabbit code, its just  question regarding the sanity of the  
approach.

in UserAccessControlProvider#CompiledPermissionsImpl.buildResult(...)

             } else if (groupsPath.equals(abs2Path)) {
                 /*
                 below group-tree:
                 - test if the user is group-administrator.
                 */
                 if (isGroupAdmin) {
                     allows = Permission.ALL;
                     if (calcPrivs) {
                         privs |= PrivilegeRegistry.WRITE;
                     }
                 } else {

// new code to allow group administration delegation

                   // check the group node to see if there are a list  
of admin groups.
                   Node node = (NodeImpl) getExistingNode(path);
                   if ( node.hasProperty(GROUPS_PROPERTY) ) {
                     Property groups =  
node.getProperty(GROUPS_PROPERTY);
                     for ( Value group : groups.getValues() ) {
                       String groupName = group.getString();
                       if ( containsGroup(userPrincipals, groupName)) {
                         allows = Permission.ALL;
                         if (calcPrivs) {
                             privs |= PrivilegeRegistry.WRITE;
                         }
                         break;
                       }
                     }
                   }
// end new code
                 }


             } // else outside of user/group tree -> read only.
             return new Result(allows, denies, privs,  
PrivilegeRegistry.NO_PRIVILEGE);
         }

Ian

Mime
View raw message