Return-Path: Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: (qmail 82414 invoked from network); 9 Sep 2009 08:36:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Sep 2009 08:36:37 -0000 Received: (qmail 45994 invoked by uid 500); 9 Sep 2009 08:36:36 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 45924 invoked by uid 500); 9 Sep 2009 08:36:36 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 45913 invoked by uid 99); 9 Sep 2009 08:36:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Sep 2009 08:36:36 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of arcassis@gmail.com designates 209.85.221.191 as permitted sender) Received: from [209.85.221.191] (HELO mail-qy0-f191.google.com) (209.85.221.191) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Sep 2009 08:36:28 +0000 Received: by qyk29 with SMTP id 29so3447915qyk.16 for ; Wed, 09 Sep 2009 01:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Pv+9B7yhwdGoukNrSm3YJ5ptIeTZyT5ZaXbvOrmoSOs=; b=NcpEsyh/ecYYYMPQX0eSJC7lQJnYjKA5lBz1b5wKVgB49TAwCtvrQR3k+2xzFnBS8F WL1ftk/5WFA6mBm04KKHFwNv4eXCIadUYAUoGZ9jHDqYZ+eOrFH0mgY7fDbjbSGOexaj ZLvm4k0H2DNGCzbDOooVTMfaStiUPkKf5xKWU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=YnjbL0Lpsg7nn2LC4qP0OOJeOOWTRwvW17cdFelynSZOIzXUVHKYmEajjVRJ4Xd51F 4Ci8/gubtHG3HTBpqThiS22Lx9cuFnQTvwKbjFZddN4zYwrsbIblOt4E0XazjpBlmYz1 1/aMERzFLbDwbnQ9PPuRyn6qufeMUQukjGa60= MIME-Version: 1.0 Received: by 10.224.82.10 with SMTP id z10mr10337285qak.50.1252485367544; Wed, 09 Sep 2009 01:36:07 -0700 (PDT) Date: Wed, 9 Sep 2009 11:36:07 +0300 Message-ID: Subject: Need help regarding privilege evaluation in JR ! From: "arcassis@gmail.com" To: users@jackrabbit.apache.org Content-Type: multipart/alternative; boundary=000feaf476d46b3b7c047320f974 X-Virus-Checked: Checked by ClamAV on apache.org --000feaf476d46b3b7c047320f974 Content-Type: text/plain; charset=ISO-8859-1 Hello all, I have a very big problem regarding privileges. Can someone give me an url or some documentation about how the privileges are applied in Jackarabbit. Right now I'm having problems regarding this specific matter: Privileges on Root (/): ----------------------------------------------- allow -> administrators: jcr:all allow -> All Users: jcr:read allow -> adminOnRoot: jcr:read, jcr:notifyOnChange, rep:write, jcr:readAccessControl, jcr:modifyAccessControl, jcr:versionManagement, jcr:lockManagement, jcr:retentionManagement ----------------------------------------------- Privileges on an intermediary node (/categoryOne) This node is not access controllable Privileges on my document (/categoryOne/MyDocument) [node that I want to delete]: ----------------------------------------------- allow -> All Users: jcr:read allow -> user01: jcr:read, jcr:removeChildNodes, jcr:removeNode, jcr:readAccessControl, jcr:modifyAccessControl, jcr:versionManagement, jcr:lockManagement deny -> adminOnRoot: jcr:notifyOnChange, jcr:modifyProperties, jcr:removeChildNodes, jcr:removeNode, jcr:readAccessControl, jcr:modifyAccessControl, jcr:versionManagement, jcr:lockManagement ----------------------------------------------- I'm logged in Jackrabbit with user01, (user01 belongs only to All Users). When I try to delete /categoryOne/MyDocument I get an "access denied exception!". If I add jcr:modifyProperties to user01's allow ACE(on node /categoryOne/MyDocument) and add the user01 to adminOnRoot group then i can delete the node. This is weird ! Can anyone explain why is this happening, or which is the normal flow and logic behind evaluating privileges in Jackarabbit ? Many thanks ! Dan --000feaf476d46b3b7c047320f974--