sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohit Arora (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SLING-9090) AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr implementation
Date Mon, 02 Mar 2020 08:04:00 GMT

    [ https://issues.apache.org/jira/browse/SLING-9090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17048856#comment-17048856
] 

Mohit Arora commented on SLING-9090:
------------------------------------

[~bdelacretaz], [~angela] We do have a usecase for remove functionality. Right now, it silently
converts the {{remove}} action into {{deny}} which is not something one would expect while
using the feature. Although I do see SLING documentation [0] mentioning {{remove is currently
not supported by the jcr.repoinit module}}, it does not mention that {{remove}} is being converted
to {{deny}} under the hood.

We have a deadline for a feature release and to avoid a security issue we are currently using
{{remove ACL}} in our feature model which is adding {{deny}} for the service user on specified
path. We would not want it to fail with an error as it is currently supported (albeit performing
wrongly, but supported, nevertheless). It would indeed be beneficial to have proper implementation
of {{remove}} such that existing usages do not need any change. For existing implementation,
they would continue adding deny ACE and for new implementation, they will simply remove the
ACE from specified path if present. If not present, it should silently abort.

cc - [~shgupta], [~ashishc]

[0] https://sling.apache.org/documentation/bundles/repository-initialization.html

> AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr implementation
> -------------------------------------------------------------------------------------
>
>                 Key: SLING-9090
>                 URL: https://issues.apache.org/jira/browse/SLING-9090
>             Project: Sling
>          Issue Type: Bug
>          Components: Repoinit
>            Reporter: Angela Schreiber
>            Priority: Major
>
> [~bdelacretaz], while the documentation and the parser code provides the ability to remove
an individual or all access control entries, it seems the JCR implementation doesn't actually
support it.
> using it may lead to odd side effects or failures.... so, i think either the parser should
remove the support for Action.REMOVE and Action.REMOVE_ALL or the jcr implementation part
should respect it... at the very minimum it should spot any usage of it and fail the repo-init
if there is no way to implement it properly. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message