jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Belrose <kafe...@gmail.com>
Subject Restrict access to a node's content with a glob pattern when using resource based ACLs.
Date Wed, 18 Jan 2012 17:09:01 GMT
Hi all,

I am working on a software product which uses Jackrabbit access
control mechanism to restrict how users can access information stored
in nodes organized as a hierarchy. A requirement of my system is that
part of the hierarchy is fixed and can only be updated by admin users.
Within nodes of the hierarchy, users are free to create/modify/delete
other nodes to organize content as they see fit.

For a given node, I have the need to grant users write access on the
content of the node, but not on the node itself.

After some trial and error, I seem to have achieved this by using glob
patterns on the node I am trying to protect (this is Scala code, but
the Java version would be very similar):

                        val vf = session.getValueFactory
                        // Setting an ACL on the parent node so that
the user username can't modify the parent node while being granted all
rights on the content of the parent node.
			acl.addEntry(
	    	  	    um.getAuthorizable(username).getPrincipal,
	    	  	    Array(
	    	  	    	acm.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES)
	    	  	    	,acm.privilegeFromName(Privilege.JCR_REMOVE_CHILD_NODES)
	    	  	    )
	    	  	    ,true
	    	  	    ,Map("rep:glob" -> vf.createValue("*"))
	    	  	)
				
	    	  	acl.addEntry(
	    	  	    um.getAuthorizable(username).getPrincipal,
	    	  	    Array(
	    	  	    	acm.privilegeFromName(Privilege.JCR_WRITE)
	    	  	    )
	    	  	    ,true
	    	  	    ,Map("rep:glob" -> vf.createValue("/*"))
	    	  	)

This seems to work, users are free to create/delete nodes within a
parent node, but are not allowed to delete the parent node itself.
However I am just wondering if there is a lighter way of achieving the
same result.

Thanks in advance,

Guillaume.

Mime
View raw message