jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ChadDavis <chadmichaelda...@gmail.com>
Subject Re: ACL and Version Control
Date Tue, 26 Jul 2011 23:03:56 GMT
Thanks Angela.

> in order to execute version operations a principal must
> have jcr:versionManagement privilege [1] on the corresponding
> versionable node.

I'm using an admin user, who has this privilege.  And, indeed, the
checkin() works, and a new version is created.  However, when I try to
add a label, I get a RepositoryException.  If I remove the label call,
the checkin operation works just fine.

javax.jcr.RepositoryException: Forbidden
	at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
	at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
	at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.execute(RepositoryServiceImpl.java:552)
	at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.addVersionLabel(RepositoryServiceImpl.java:1766)
	at org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.visit(WorkspaceManager.java:1061)
	at org.apache.jackrabbit.jcr2spi.operation.AddLabel.accept(AddLabel.java:70)
	at org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.execute(WorkspaceManager.java:848)
	at org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.access$400(WorkspaceManager.java:793)
	at org.apache.jackrabbit.jcr2spi.WorkspaceManager.execute(WorkspaceManager.java:581)
	at org.apache.jackrabbit.jcr2spi.version.VersionManagerImpl.addVersionLabel(VersionManagerImpl.java:146)
	at org.apache.jackrabbit.jcr2spi.version.VersionHistoryImpl.addVersionLabel(VersionHistoryImpl.java:179)
	at wego.ecms.WGECMSDocumentManager.commitVersion(WGECMSDocumentManager.java:487)

I suppose this could be a bug in the davex remoting stack, on the
service side of the equation.  Or is this expected by your

> note however, that this only covers the execution. reading
> version related content is controlled by regular read permissions.
> one more thing to be aware of: version operations such as checkin
> also require read-access to the corresponding part of the version
> storage. this is rather cumbersome and covered by an jira issue [2]

I'm not entirely sure that I understand this, and the referenced
ticket.  Are you saying that successful version control operations,
such as checkin, depend upon BOTH:

1) jcr:versionManagement on the node which will be versioned


2) read access to the entire version tree, i.e. /jcr:system/jcr:versionStorage

I understand requirement one easily enough.  And I think I understand
number two -- I'm using the Default . . . AccessManager,
SecurityManager and LoginModule, and I'm using admin/admin.  I have
attached no ACL's to anything in the system tree, so I would expect
that my admin user has read permissions on the entire version tree.
Actually, I would expect that my other users also have read access on
that tree; perhaps I'm wrong here?

View raw message