jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Boston <...@tfd.co.uk>
Subject Re: Controlling who can modify groups.
Date Thu, 06 Aug 2009 10:49:07 GMT

On 4 Aug 2009, at 10:27, Ian Boston wrote:

>
> On 3 Aug 2009, at 18:44, Ian Boston wrote:
>
>> Hi,
>>
>> Is there a standard way to control who can modify a group in the  
>> Jackrabbit User Manager Impl.
>>
>> IIUC, there appears to be a Group (default GroupAdmin) that grant  
>> the user write access to *all* groups, but no way of granting a  
>> user administrative rights over a subset of all groups.
>>
>> Is this correct, or have a missed something ?
>>
>> Ian
>
>
> On the basis that delegated administration of selected groups is not  
> possible, would  the following patch be a "safe" thing to do in the  
> UserAccessControlProvider. NB, this is *not* a request to patch  
> Jackrabbit code, its just  question regarding the sanity of the  
> approach.
>
> in UserAccessControlProvider#CompiledPermissionsImpl.buildResult(...)
>
>            } else if (groupsPath.equals(abs2Path)) {
>                /*
>                below group-tree:
>                - test if the user is group-administrator.
>                */
>                if (isGroupAdmin) {
>                    allows = Permission.ALL;
>                    if (calcPrivs) {
>                        privs |= PrivilegeRegistry.WRITE;
>                    }
>                } else {
>
> // new code to allow group administration delegation
>
>                  // check the group node to see if there are a list  
> of admin groups.
>                  Node node = (NodeImpl) getExistingNode(path);
>                  if ( node.hasProperty(GROUPS_PROPERTY) ) {
>                    Property groups =  
> node.getProperty(GROUPS_PROPERTY);
>                    for ( Value group : groups.getValues() ) {
>                      String groupName = group.getString();
>                      if ( containsGroup(userPrincipals, groupName)) {
>                        allows = Permission.ALL;
>                        if (calcPrivs) {
>                            privs |= PrivilegeRegistry.WRITE;
>                        }
>                        break;
>                      }
>                    }
>                  }
> // end new code
>                }
>
>
>            } // else outside of user/group tree -> read only.
>            return new Result(allows, denies, privs,  
> PrivilegeRegistry.NO_PRIVILEGE);
>        }
>
> Ian



Sadly this is a complete non starter since the groups property  
attached to a user node in the UserManager subtree eg /rep:security/ 
rep:authorizables/rep:users/rep:admin/nico1249552834/rep:groups, is  
where group membership  is stored, and at the point of asserting the  
permissions all that can be derived is that the property is being  
changed, not which group(s) are being added or removed so there is no  
way of doing delegated groups administration in the current Jackrabbit  
UserManager. The user performing the modification has to be a member  
of both the UserAdmin group and the GroupAdmin group... and they they  
get permissions to admin *all* groups and *all* users in the system.

Ian


Mime
View raw message