jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobias Bocanegra <tri...@apache.org>
Subject Re: Group membership is not honoured?
Date Fri, 13 Dec 2013 05:26:33 GMT
so when I format it a bit nicer:

then /content/child has:

    "Managers": {
        "denied": [
            "jcr:removeNode",
            "jcr:modifyAccessControl",
            "jcr:versionManagement",
            "jcr:nodeTypeManagement",
            "jcr:modifyProperties",
            "jcr:addChildNodes"
        ],
        "granted": [
            "jcr:read"
        ],
        "order": 0,
        "principal": "Managers"
    },
    "everyone": {
        "denied": [
            "jcr:read"
        ],
        "order": 1,
        "principal": "everyone"
    }
}

which denies everyone read after you allow read for managers. since
all users are automatically member of "everyone" your user can't see
"child".
you need to move the 'everyone deny' up to the first position.

regards, toby

On Thu, Dec 12, 2013 at 6:16 PM, anjan <polisettya@gmail.com> wrote:
> Hi Toby, thank you for your response.  I was also under the same impression
> that the order of ACEs matter.  I posted the JSON dumps in my previous posts
> also.  Anyway, here are how the ACLs setup at each level (JSON dumps).
>
> *Root folder:*
> {"administrators":{"principal":"administrators","granted":["jcr:all"],"order":0},"everyone":{"principal":"everyone","granted":["jcr:read","jcr:readAccessControl"],"order":1}}
>
> *"content" folder (Child of Root folder):*
> {"everyone":{"principal":"everyone","granted":["jcr:removeChildNodes","jcr:read"],"order":0}}
>
> *"child" folder (Child of content folder):*
> {"Managers":{"principal":"Managers","granted":["jcr:read"],"denied":["jcr:removeNode","jcr:modifyAccessControl","jcr:versionManagement","jcr:nodeTypeManagement","jcr:modifyProperties","jcr:addChildNodes"],"order":0},"everyone":{"principal":"everyone","denied":["jcr:read"],"order":1}}
>
> You can see "order" attribute in the JSON responses.  Clearly "Managers" is
> ordered at 0 and everyone is ordered at 1 for "test" folder.  But the user
> who belongs to "Managers" group cannot see this "child" folder.
>
>
>
> --
> View this message in context: http://jackrabbit.510166.n4.nabble.com/Group-membership-is-not-honoured-tp4660059p4660065.html
> Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Mime
View raw message