You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/08/09 08:58:28 UTC
svn commit: r1755583 - in /jackrabbit/oak/trunk: oak-doc/src/site/markdown/security/permission.md oak-jcr/pom.xml oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java

Author: angela
Date: Tue Aug  9 08:58:28 2016
New Revision: 1755583

URL: http://svn.apache.org/viewvc?rev=1755583&view=rev
Log:
OAK-4196 : EventListener gets removed event for denied node

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
    jackrabbit/oak/trunk/oak-jcr/pom.xml
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1755583&r1=1755582&r2=1755583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Tue Aug  9 08:58:28 2016
@@ -229,6 +229,21 @@ regular JCR write permissions. This affe
     permission `USER_MANAGEMENT` to be granted for the editing subject. This permission (including a corresponding privilege)
     has been introduced with Oak 1.0. See below for configuration parameters to obtain backwards compatible behavior.
 
+##### Observation
+
+Permission evaluation is also applied when delivering observation events
+respecting the effective permission setup of the `Session` that registered
+the `EventListener`.
+
+However, it is important to understand that events are only delivered once
+the modifications have been successfully persisted and permissions will
+be evaluated against the persisted state.
+
+In other words: Changing the permission setup along with the modifications 
+to be reported to the `EventListener` will result in events being included
+or excluded according to the modified permissions. See [OAK-4196] for an example.
+
+
 <a name="api_extensions"/>
 ### API Extensions
 
@@ -303,4 +318,5 @@ The supported configuration options of t
 [AggregatedPermissionProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.html
 [OAK-444]: https://issues.apache.org/jira/browse/OAK-444
 [JCR-2963]: https://issues.apache.org/jira/browse/JCR-2963
-[OAK-1268]: https://issues.apache.org/jira/browse/OAK-1268
\ No newline at end of file
+[OAK-1268]: https://issues.apache.org/jira/browse/OAK-1268
+[OAK-4196]: https://issues.apache.org/jira/browse/OAK-4196
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1755583&r1=1755582&r2=1755583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Tue Aug  9 08:58:28 2016
@@ -78,7 +78,6 @@
       org.apache.jackrabbit.core.observation.ReorderTest                                           <!-- Uses SNS -->
       org.apache.jackrabbit.core.observation.ShareableNodesTest#testAddShare                       <!-- OAK-118 workspace support needed -->
       org.apache.jackrabbit.core.observation.ShareableNodesTest#testRemoveShare                    <!-- OAK-118 workspace support needed -->
-      org.apache.jackrabbit.oak.jcr.security.authorization.ObservationTest#testEventDeniedNode     <!-- OAK-4196 -->
 
       <!-- Versioning -->
       org.apache.jackrabbit.test.api.version.VersionTest#testMerge

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java?rev=1755583&r1=1755582&r2=1755583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java Tue Aug  9 08:58:28 2016
@@ -16,6 +16,8 @@
  */
 package org.apache.jackrabbit.oak.jcr.security.authorization;
 
+import java.util.ArrayList;
+import java.util.List;
 import javax.jcr.observation.Event;
 import javax.jcr.observation.ObservationManager;
 
@@ -60,9 +62,11 @@ public class ObservationTest extends Abs
         }
     }
 
-    // OAK-4196
+    /**
+     * @see <a href="https://issues.apache.org/jira/browse/OAK-4196">OAK-4196</a>
+     */
     @Test
-    public void testEventDeniedNode() throws Exception {
+    public void testEventRemovedNodeWhenDenyEntryIsRemoved() throws Exception {
         // withdraw the READ privilege on childNPath
         deny(childNPath, readPrivileges);
 
@@ -81,22 +85,29 @@ public class ObservationTest extends Abs
             superuser.getItem(childNPath2).remove();
             superuser.save();
 
-            // since the testUser does not have read-permission on the removed
-            // childNPath, no corresponding event must be generated.
+            // since the events are generated _after_ persisting all the changes
+            // and the removal also removes the permission entries denying access
+            // testUser will be notified about the removal because the remaining
+            // permission setup after the removal grants read access.
             Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT);
+            List<String> eventPaths = new ArrayList<String>();
             for (Event evt : evts) {
-                if (evt.getType() == Event.NODE_REMOVED &&
-                        evt.getPath().equals(childNPath)) {
-                    fail("TestUser does not have READ permission on " + childNPath);
+                if (evt.getType() == Event.NODE_REMOVED) {
+                    eventPaths.add(evt.getPath());
                 }
             }
+            assertTrue(eventPaths.contains(childNPath));
+            assertTrue(eventPaths.contains(childNPath2));
         } finally {
             obsMgr.removeEventListener(listener);
         }
     }
 
+    /**
+     * @see <a href="https://issues.apache.org/jira/browse/OAK-4196">OAK-4196</a>
+     */
     @Test
-    public void testEventDeniedNode2() throws Exception {
+    public void testEventRemovedNode() throws Exception {
         // withdraw the READ privilege on childNPath
         deny(path, readPrivileges);
 
@@ -108,8 +119,7 @@ public class ObservationTest extends Abs
         try {
             obsMgr.addEventListener(listener, Event.NODE_REMOVED, testRoot, true, null, null, true);
 
-            // superuser removes the node with childNPath & childNPath2 in
-            // order to provoke events being generated
+            // superuser removes the node with childNPath order to provoke events being generated
             superuser.getItem(childNPath).remove();
             superuser.save();