Return-Path: X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CA30010720 for ; Fri, 13 Dec 2013 05:26:44 +0000 (UTC) Received: (qmail 39271 invoked by uid 500); 13 Dec 2013 05:26:43 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 38955 invoked by uid 500); 13 Dec 2013 05:26:37 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 38947 invoked by uid 99); 13 Dec 2013 05:26:35 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Dec 2013 05:26:35 +0000 Received: from localhost (HELO mail-ie0-f180.google.com) (127.0.0.1) (smtp-auth username tripod, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Dec 2013 05:26:34 +0000 Received: by mail-ie0-f180.google.com with SMTP id tp5so2121248ieb.25 for ; Thu, 12 Dec 2013 21:26:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=rB1qBaQpxv/lsjjFhspVtILjdDT1xyGA6TKAtDVlpgo=; b=JaV6kAIMmFtt68s/xZeEd1MXa13eAY+uYluf2ntOiaCiOTOV+MLnq+9v02xs4VTsRS S3Jc4ETe0P0MQUQMoHpRnfw/77VDdVHAmJUIsKZzrqSsCFDI80ehIgtHhWSqTanPKpEe v0tZihsPMe7rrPWvDj5pN/TKWwWaaXQSeP2nEknDRs4hBm5f9oipxXMvqknO4f+mUnyz 6xqAY7WSFHhnObe7I2WSk0Ygnv7THTifNyW5IR7jsZ9VUwtjDbvmd0pzPlcU+Q7kZJK7 Ho6RgyQyTwqEg7TyVUvtPjWL85LiWSJqlNKm+Afw6p6Rm4IQLcAB+6Aa94YuaFhtUJ0Y cpjw== X-Gm-Message-State: ALoCoQmvdsy4nOl4I/xoihz5KAzSefiiSimK+aifdG5KLrd/uO/iE89KY9imzrqzi/o7VFp3l6ch MIME-Version: 1.0 X-Received: by 10.50.102.99 with SMTP id fn3mr1465154igb.5.1386912393606; Thu, 12 Dec 2013 21:26:33 -0800 (PST) Received: by 10.64.239.208 with HTTP; Thu, 12 Dec 2013 21:26:33 -0800 (PST) In-Reply-To: <1386901001181-4660065.post@n4.nabble.com> References: <1386670897909-4660059.post@n4.nabble.com> <1386844345098-4660063.post@n4.nabble.com> <1386901001181-4660065.post@n4.nabble.com> Date: Thu, 12 Dec 2013 21:26:33 -0800 Message-ID: Subject: Re: Group membership is not honoured? From: Tobias Bocanegra To: "users@jackrabbit.apache.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable so when I format it a bit nicer: then /content/child has: "Managers": { "denied": [ "jcr:removeNode", "jcr:modifyAccessControl", "jcr:versionManagement", "jcr:nodeTypeManagement", "jcr:modifyProperties", "jcr:addChildNodes" ], "granted": [ "jcr:read" ], "order": 0, "principal": "Managers" }, "everyone": { "denied": [ "jcr:read" ], "order": 1, "principal": "everyone" } } which denies everyone read after you allow read for managers. since all users are automatically member of "everyone" your user can't see "child". you need to move the 'everyone deny' up to the first position. regards, toby On Thu, Dec 12, 2013 at 6:16 PM, anjan wrote: > Hi Toby, thank you for your response. I was also under the same impressi= on > that the order of ACEs matter. I posted the JSON dumps in my previous po= sts > also. Anyway, here are how the ACLs setup at each level (JSON dumps). > > *Root folder:* > {"administrators":{"principal":"administrators","granted":["jcr:all"],"or= der":0},"everyone":{"principal":"everyone","granted":["jcr:read","jcr:readA= ccessControl"],"order":1}} > > *"content" folder (Child of Root folder):* > {"everyone":{"principal":"everyone","granted":["jcr:removeChildNodes","jc= r:read"],"order":0}} > > *"child" folder (Child of content folder):* > {"Managers":{"principal":"Managers","granted":["jcr:read"],"denied":["jcr= :removeNode","jcr:modifyAccessControl","jcr:versionManagement","jcr:nodeTyp= eManagement","jcr:modifyProperties","jcr:addChildNodes"],"order":0},"everyo= ne":{"principal":"everyone","denied":["jcr:read"],"order":1}} > > You can see "order" attribute in the JSON responses. Clearly "Managers" = is > ordered at 0 and everyone is ordered at 1 for "test" folder. But the use= r > who belongs to "Managers" group cannot see this "child" folder. > > > > -- > View this message in context: http://jackrabbit.510166.n4.nabble.com/Grou= p-membership-is-not-honoured-tp4660059p4660065.html > Sent from the Jackrabbit - Users mailing list archive at Nabble.com.