jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Jansz <kevin.ja...@exari.com>
Subject Re: Granting access to versionStorage?
Date Mon, 14 Feb 2011 00:07:13 GMT
On further investigation I can partially answer some of my question(s)

* Version labelling is an admin-only function by default - but you can
grant access controls to allow this for users that are not the
admin-user
* Having privileges on a resource does not correspond to any
privileges on the corresponding version nodes being created in version
history

* Support for non-admin users access to "label" items in version
history can be achieved (with the default node-type definitions) by
granting write access to jcr:system. This involves:
1) add mixin rep:AccessControllable to /jcr:system
- without this attempts to add ACLs will not be possible
- this isn't supported for /jcr:system/jcr:versionStorage or it's
children in the default node-type definition. It may be customisable?
2) grant jcr:write privilege on /jcr:system for the principals that require it
- weighing up the functionality gained by having non-admin version
labelling vs any security issues with having broader access than
default to /jcr:system



--
Kevin Jansz
kevin.jansz@exari.com
Level 7, 10-16 Queen Street, Melbourne 3000 Australia
Tel +61 3 9621 2773 | Fax +61 3 9621 2776
Exari Systems
Boston | London | Melbourne | Munich
www.exari.com

Test drive our software online - www.exari.com/demo-trial.html
Read our blog on document assembly - blog.exari.com


On 8 February 2011 16:39, Kevin Jansz <kevin.jansz@exari.com> wrote:
>
> In a repository (versioning & security configured)
> - a user can create a resource in an area where the ACLs allow it (say
> "testuser" has jcr:all on /content/example)
> - they can view the history of versions for the resource
> - they hit an issue if they try to label a version (system code is
> running javax.jcr.version.VersionHistory.addVersionLabel(String,
> String, boolean) on behalf of the user)
>        - this hits an AccessDeniedException
> - checking the ACLs in the versionStorage area
> (/jcr:system/jcr:versionStorage/../../....) this is set to
>        - administrators have jcr:all
>        - everyone has jcr:read
>        this must be the default as this area has not had ACLs configured
> - all attempts to edit ACLs on /jcr:system/jcr:versionStorage/ seem to
> have no effect
>
>
> I probably haven't described this well, but it seems I might be using
> the methods in the wrong way ... in summary:
> - is version labelling meant to be an administrators-only function?
> - if not, it seems that having jcr:all on something that is
> mix:versionable does not automatically mean you'll have
> label (jcr:versionManagement or jcr:modifyProperties?) access to the
> item's version history. Are there
> recommendations/examples for how this can/should be configured?
>
> Regards,
> Kevin
>
> --
> Kevin Jansz
> kevin.jansz@exari.com
> Level 7, 10-16 Queen Street, Melbourne 3000 Australia
> Tel +61 3 9621 2773 | Fax +61 3 9621 2776
> Exari Systems
> Boston | London | Melbourne | Munich
> www.exari.com
>
> Test drive our software online - www.exari.com/demo-trial.html
> Read our blog on document assembly - blog.exari.com

Mime
View raw message