jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Klimetschek <aklim...@adobe.com>
Subject Re: Conditional access control
Date Mon, 10 Oct 2011 22:15:46 GMT
On 10.10.11 23:02, "Markus Joschko" <markus.joschko@gmail.com> wrote:

>Hi,
>In my repository I have a structure that has many deep branches.
>Within these branches there are three different types of nodes.
>Each type is maintained by another group of users. These groups can be
>configured per branch
>(it's a bit like in a file system where one group can only maintain
>the folders and the other group only the files in a branch).
>
>Now the question is how to best handle the access control here.
>I can:
>- either add an ace to each and every node in the repository and pay
>the price that I have to maintain a lot of them in case ownership of a
>branch changes or subbranches are moved into different branches.
>- find a way to hook into the accesscontrol mechanism of jackrabbit to
>make this easier. So far I have failed to find a good way to do so.
>  I initially thought about introducing custom privileges that can be
>used as markers and then extend the ACLProvider to take these
>privileges also into account when calculating permissions.
>  However from looking at the code it seems to me, that custom
>privileges can only be defined as aggregates of existing privileges
>and then also the aggregate can not exist twice. I guess it is not a
>good
>  idea to create artificial aggregates just to define new privileges.
>- an alternative might be to create new accesscontrol entries that do
>not only have path restrictions but also nodetype restrictions.
>However that seems to be quite invasive and a lot of work.
>
>Any other ideas how to tackle that problem?

Principal-based ACLs maybe?

Alex

-- 
Alexander Klimetschek
Developer // Adobe (Day) // Berlin - Basel





Mime
View raw message