jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Belrose <kafe...@gmail.com>
Subject Question regarding combining use of resource-based ACLs and principal-based ACLs in Jackrabbit.
Date Wed, 24 Aug 2011 10:44:03 GMT
Hi all,

I am doing some testing to understand what is possible to achieve
using a combination of resource-based ACLs and principal-based ACLs in
Jackrabbit.
I am using version 2.2.0 of Jackrabbit core with the CombinedProvider
I've written a test which prevents a user userX from reading a given
node called A. This was achieved by setting up an ACL on the node A to
deny read access to userX.
By inheritance, userX is not granted read access on a sub folder of A
called subfolder.

I then create a principal-based ACL which grants the user read access
to a sub folder of /A /subfolder: /A/subfolder/subfolder
Even though userX has been granted the right via the Principal-based
ACL, he is not able to read the folder.

Is this actually possible? I wonder if principal-based and
resource-based ACLs can work together but only on separate sets of
nodes.

In case it might help, I enclose an extract from the test I am running
(written in Scala).

Regards,

Guillaume Belrose.


	"The user fred" should {
	
	  "not be able to see the existing node 'A' with an ACL which
prevents access" in {
	
		  rwSession (repository, superuserName, superuserPassword){ session =>
		  	session.getRootNode.addNode("A")
		  	
		  	withACL(session,"/A"){acl=>
		  		acl.addEntry(session.getUserManager.getAuthorizable(username).getPrincipal,Array(session.getAccessControlManager.privilegeFromName(Privilege.JCR_ALL)),false)
		  	}
		  }
		
		  evaluating{
		    rwSession(repository,username,username){session =>
		      session.getNode("/A")
		    }
		  }should produce [PathNotFoundException]
	  }

    "(by inheritance) not be able to see any subnode of the node 'A'" in {

      rwSession (repository, superuserName, superuserPassword){ session =>
        session.getNode("/A").addNode("subfolder")
      }

      evaluating{
        rwSession(repository,username,username){session =>
          session.getNode("/A/subfolder")
        }
      }should produce [PathNotFoundException]
    }

    "be able to see sub nodes of /A/subfolder thanks to a pattern
granting read access" in {
      rwSession(repository,superuserName,superuserPassword){session =>
        session.getNode("/A/subfolder").addNode("subfolder")
        val user = session.getUserManager.getAuthorizable(username)

        withACL(session,user.getPrincipal){ acl =>
          val vf = session.getValueFactory
          val read =
Array(session.getAccessControlManager.privilegeFromName(Privilege.JCR_READ))
          val restrictions : Map[String,Value] = Map(
            "rep:nodePath" -> vf.createValue("/A/subfolder",PropertyType.PATH)
           ,"rep:glob"     -> vf.createValue("/subfolder")
          )
          acl.addEntry(user.getPrincipal,read,true,restrictions);
        }
      }

      roSession(repository, username,username){session =>
        session.getNode("/A/subfolder/subfolder")
      }
    }

Mime
View raw message