Return-Path: 
 <users-return-12194-apmail-jackrabbit-users-archive=jackrabbit.apache.org@jackrabbit.apache.org>
Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org
Received: (qmail 48235 invoked from network); 4 Aug 2009 09:27:52 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 4 Aug 2009 09:27:52 -0000
Received: (qmail 37011 invoked by uid 500); 4 Aug 2009 09:27:56 -0000
Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org
Received: (qmail 36981 invoked by uid 500); 4 Aug 2009 09:27:56 -0000
Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@jackrabbit.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@jackrabbit.apache.org>
List-Post: <mailto:users@jackrabbit.apache.org>
List-Id: <users.jackrabbit.apache.org>
Reply-To: users@jackrabbit.apache.org
Delivered-To: mailing list users@jackrabbit.apache.org
Received: (qmail 36970 invoked by uid 99); 4 Aug 2009 09:27:56 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Aug 2009 09:27:56 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ianboston@googlemail.com
 designates 209.85.219.206 as permitted sender)
Received: from [209.85.219.206] (HELO mail-ew0-f206.google.com)
 (209.85.219.206)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Aug 2009 09:27:44 +0000
Received: by ewy2 with SMTP id 2so3530544ewy.43
        for <users@jackrabbit.apache.org>;
 Tue, 04 Aug 2009 02:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=gamma;
        h=domainkey-signature:received:received:sender:message-id:from:to
         :in-reply-to:content-type:content-transfer-encoding:mime-version
         :subject:date:references:x-mailer;
        bh=6oLla+lsFu7bTgB58k/DnMGUCM1Ft7B/hpImSiXFP44=;
        b=b9TIs2jqNszbFBL+nMglz6EX8DHAAQLqY44QTv2wr+hlZhPr94rpWu9XRvS//UjJjr
         /fJWBBkaJN3tLxzlGeSMwkHJljPOpVF3yP/H3z4naiT5XcQfwqKHo9tSxCVlzqBvHNpF
         hRt1+fSF7wxekTsL9luhEZVukHwQZVyWbjWzw=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=googlemail.com; s=gamma;
        h=sender:message-id:from:to:in-reply-to:content-type
         :content-transfer-encoding:mime-version:subject:date:references
         :x-mailer;
        b=XeCy/iqxrx2X7eHjUNJp7d/umAT5aNyprzJdyvDUvLEkrKW3ZfyscJRIgpQGq1OZkW
         KGuKxJhSLOlozCk9tXe5ooOVGIVaAGPT54BQ6sU6MIu7fowcVvssXrWKNqXQZHOg50Mk
         0y7WzUKuldFbE4ZbQ40NXd/n6N2yQDVP2VeMA=
Received: by 10.210.53.1 with SMTP id b1mr2563442eba.20.1249378044505;
        Tue, 04 Aug 2009 02:27:24 -0700 (PDT)
Received: from ?10.0.0.59? (ginger.caret.cam.ac.uk [131.111.21.21])
        by mx.google.com with ESMTPS id 10sm1968406eyz.51.2009.08.04.02.27.23
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 04 Aug 2009 02:27:23 -0700 (PDT)
Sender: Ian Boston <ianboston@googlemail.com>
Message-Id: <A7351389-D13C-4CBE-A69B-25A741153686@tfd.co.uk>
From: Ian Boston <ieb@tfd.co.uk>
To: users@jackrabbit.apache.org
In-Reply-To: <1765B1C0-342C-47FD-A608-9799DB5B6E1B@TFD.CO.UK>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Subject: Re: Controlling who can modify groups.
Date: Tue, 4 Aug 2009 10:27:22 +0100
References: <1765B1C0-342C-47FD-A608-9799DB5B6E1B@TFD.CO.UK>
X-Mailer: Apple Mail (2.935.3)
X-Virus-Checked: Checked by ClamAV on apache.org


On 3 Aug 2009, at 18:44, Ian Boston wrote:

> Hi,
>
> Is there a standard way to control who can modify a group in the  
> Jackrabbit User Manager Impl.
>
> IIUC, there appears to be a Group (default GroupAdmin) that grant  
> the user write access to *all* groups, but no way of granting a user  
> administrative rights over a subset of all groups.
>
> Is this correct, or have a missed something ?
>
> Ian


On the basis that delegated administration of selected groups is not  
possible, would  the following patch be a "safe" thing to do in the  
UserAccessControlProvider. NB, this is *not* a request to patch  
Jackrabbit code, its just  question regarding the sanity of the  
approach.

in UserAccessControlProvider#CompiledPermissionsImpl.buildResult(...)

             } else if (groupsPath.equals(abs2Path)) {
                 /*
                 below group-tree:
                 - test if the user is group-administrator.
                 */
                 if (isGroupAdmin) {
                     allows = Permission.ALL;
                     if (calcPrivs) {
                         privs |= PrivilegeRegistry.WRITE;
                     }
                 } else {

// new code to allow group administration delegation

                   // check the group node to see if there are a list  
of admin groups.
                   Node node = (NodeImpl) getExistingNode(path);
                   if ( node.hasProperty(GROUPS_PROPERTY) ) {
                     Property groups =  
node.getProperty(GROUPS_PROPERTY);
                     for ( Value group : groups.getValues() ) {
                       String groupName = group.getString();
                       if ( containsGroup(userPrincipals, groupName)) {
                         allows = Permission.ALL;
                         if (calcPrivs) {
                             privs |= PrivilegeRegistry.WRITE;
                         }
                         break;
                       }
                     }
                   }
// end new code
                 }


             } // else outside of user/group tree -> read only.
             return new Result(allows, denies, privs,  
PrivilegeRegistry.NO_PRIVILEGE);
         }

Ian