jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Klimetschek <aklim...@day.com>
Subject Re: ACL Order reversed?
Date Mon, 02 Aug 2010 14:06:55 GMT
On Mon, Aug 2, 2010 at 14:36, Cory Prowse <cory@prowse.com> wrote:
> I thought that if I set the ACL in the order "ALLOW:authors, DENY:everyone" that when
a Principal in the authors group attempted access it would be allowed since the ALLOW would
apply first.
> This is not the case and in fact any author us denied.

>From what I know, this is the expected case, I think.

> However if I set the ACL in the order "DENY:everyone, ALLOW:authors" then authors are
allowed access.

Not sure, but it should probably have the same effect (deny wins),
regardless of the order...

> Actually, it's a bit more weird than that even.  When set "ALLOW:authors, DENY:everyone"
by a Principal who is an author, then while their session is active they get access to the
node but not to the properties of the node (this is after the Session.save() to apply the
ACL).
> However if I restart the App Server then the authors are consistently denied access to
the node, which seems to me to point to something weird going on.

The change might not have effect on existing sessions. You need to
refresh the sessions or get new ones. See also
http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html#InteractionwiththeTransientLayerandTransactions


> For now it seems to work fine if I set the ACL in reverse order.  I haven't tested with
more than two ACL entries applied to a node.


Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Mime
View raw message