You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2019/11/08 10:26:00 UTC
[jira] [Assigned] (OAK-7937) Implement
CugAccessControlManager.getEffectivePolicies(Set principals)
[ https://issues.apache.org/jira/browse/OAK-7937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Angela Schreiber reassigned OAK-7937:
-------------------------------------
Assignee: Angela Schreiber (was: Alex Deparvu)
> Implement CugAccessControlManager.getEffectivePolicies(Set<Principal> principals)
> ---------------------------------------------------------------------------------
>
> Key: OAK-7937
> URL: https://issues.apache.org/jira/browse/OAK-7937
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: authorization-cug, security
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Major
> Fix For: 1.20.0
>
>
> today CugAccessControlManager.getEffectivePolicies(Set<Principal> principals) returns an empty array and has a comment stating that this is not implemented.
> having thought this through again, i think there was some benefit in having the implementation. as long as the given set of principal does NOT include everyone the return value should just include the CUG-policies that explicitly list any of principals. IF _everyone_ was part of the set, the return-value basically includes _all_ CUG-policies, because every CUG will deny read-access for everyone except for the principals explicitly listed in the CUG-policy... if we do the latter as lazy as possible it might still be doable even in a scenario, when there are tons of CUG-policies specified.
> [~stillalex], wdyt? do you want to take care of this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)