jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@day.com>
Subject Re: Container authentication working, over to authorization
Date Wed, 24 Mar 2010 17:58:48 GMT

> What's the best way to deal with this? Adding Permission.NODE_TYPE_MNGMT for
> a user role/group on the root node? That doesn't feel quite right as there
> are system nodes under the root nodes that shouldn't be included in the
> permissions. 

i guess there is no best way... it depends on your setup
and requirements. you could e.g.

- allow it for the root and deny it for those system nodes
   you don't want it.

- you don't grant the privilege on the root but on each
   invidual subtrees where you need that priv.

- you use another ac implementation that allows to specify
   patterns (e.g. the principal-based ac) so you don't have
   to deny/allow the privilege on individual subtrees which
   may be cumbersome if you don't have a fixed list.

apart from that: i don't know exactly what system nodes
you were referring to... but as far as i know the huge part
of the system nodes/properties is at some point protected
and therefore regular write operations are pretty much
limited (thinking of versions, activities, node types,
access control, users).


View raw message