jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@adobe.com>
Subject Re: AccessControll
Date Thu, 03 May 2012 12:27:19 GMT
hi

> What I am trying to do is the following:
>
> Create users "user1", "user2"
>
> Create structure:
> /templatesNode/template1Node/.../
>                         /template2Node/.../
>                         /template3Node/.../
>                         /template4Node/.../
>
> "user1" be able to delete and write on template1Node and template2Node
> "user2" be able to delete and write on template3Node and template4Node
>
> So in order to do that I need to:
> - Provide on /templatesNode jcr:removeChildNodes access to user1 and user2
> - Provide /template1Node and /template2Node all access to user1

well... not all... i would just grant jcr:read, jcr:write and 
jcr:nodeTypeManagement.

> - Provide /template3Node and /template4Node all access to user2

same here.

> But like that user1 can remove template3Node and template4Node and user2 can
> remove template1Node and template2Node.

why that? in order to be able to remove a node you must have both
privileges. jcr:removeChildNodes on the parent AND jcr:removeNode
on the target node itself. so, user1 will not be able to remove
template3Node if he/she is only granted jcr:removeChildNode  on
the parent...

> With the little knowledge of Jackrabbit a solution can be deny removeNode o
> template3Node and template4Node to user1 and do the same for user2 on
> template1Node and template2Node, but I am planing to have many users and
> many nodes under templatesNode so I think is not a solution.

you don't have to remove jcr:removeNode privilege if it hasn't
been granted before. and as far as i understood your user1
would not have any kind of write permission on the template3Node.
so, i think it does what you expected.

> Do you a better approach to what I am trying to do?

from time to time its possible to simplify things using
an additional pattern-matching restriction with the access
control entries. but that requires a naming pattern that is
suitable for this.

kind regards
angela

> Thank you!
>
> --
> View this message in context: http://jackrabbit.510166.n4.nabble.com/AccessControll-tp4604580p4605812.html
> Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Mime
View raw message