You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/08/09 08:58:28 UTC
svn commit: r1755583 - in /jackrabbit/oak/trunk:
oak-doc/src/site/markdown/security/permission.md oak-jcr/pom.xml
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java
Author: angela
Date: Tue Aug 9 08:58:28 2016
New Revision: 1755583
URL: http://svn.apache.org/viewvc?rev=1755583&view=rev
Log:
OAK-4196 : EventListener gets removed event for denied node
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
jackrabbit/oak/trunk/oak-jcr/pom.xml
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1755583&r1=1755582&r2=1755583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Tue Aug 9 08:58:28 2016
@@ -229,6 +229,21 @@ regular JCR write permissions. This affe
permission `USER_MANAGEMENT` to be granted for the editing subject. This permission (including a corresponding privilege)
has been introduced with Oak 1.0. See below for configuration parameters to obtain backwards compatible behavior.
+##### Observation
+
+Permission evaluation is also applied when delivering observation events
+respecting the effective permission setup of the `Session` that registered
+the `EventListener`.
+
+However, it is important to understand that events are only delivered once
+the modifications have been successfully persisted and permissions will
+be evaluated against the persisted state.
+
+In other words: Changing the permission setup along with the modifications
+to be reported to the `EventListener` will result in events being included
+or excluded according to the modified permissions. See [OAK-4196] for an example.
+
+
<a name="api_extensions"/>
### API Extensions
@@ -303,4 +318,5 @@ The supported configuration options of t
[AggregatedPermissionProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.html
[OAK-444]: https://issues.apache.org/jira/browse/OAK-444
[JCR-2963]: https://issues.apache.org/jira/browse/JCR-2963
-[OAK-1268]: https://issues.apache.org/jira/browse/OAK-1268
\ No newline at end of file
+[OAK-1268]: https://issues.apache.org/jira/browse/OAK-1268
+[OAK-4196]: https://issues.apache.org/jira/browse/OAK-4196
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-jcr/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/pom.xml?rev=1755583&r1=1755582&r2=1755583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-jcr/pom.xml Tue Aug 9 08:58:28 2016
@@ -78,7 +78,6 @@
org.apache.jackrabbit.core.observation.ReorderTest <!-- Uses SNS -->
org.apache.jackrabbit.core.observation.ShareableNodesTest#testAddShare <!-- OAK-118 workspace support needed -->
org.apache.jackrabbit.core.observation.ShareableNodesTest#testRemoveShare <!-- OAK-118 workspace support needed -->
- org.apache.jackrabbit.oak.jcr.security.authorization.ObservationTest#testEventDeniedNode <!-- OAK-4196 -->
<!-- Versioning -->
org.apache.jackrabbit.test.api.version.VersionTest#testMerge
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java?rev=1755583&r1=1755582&r2=1755583&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/ObservationTest.java Tue Aug 9 08:58:28 2016
@@ -16,6 +16,8 @@
*/
package org.apache.jackrabbit.oak.jcr.security.authorization;
+import java.util.ArrayList;
+import java.util.List;
import javax.jcr.observation.Event;
import javax.jcr.observation.ObservationManager;
@@ -60,9 +62,11 @@ public class ObservationTest extends Abs
}
}
- // OAK-4196
+ /**
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-4196">OAK-4196</a>
+ */
@Test
- public void testEventDeniedNode() throws Exception {
+ public void testEventRemovedNodeWhenDenyEntryIsRemoved() throws Exception {
// withdraw the READ privilege on childNPath
deny(childNPath, readPrivileges);
@@ -81,22 +85,29 @@ public class ObservationTest extends Abs
superuser.getItem(childNPath2).remove();
superuser.save();
- // since the testUser does not have read-permission on the removed
- // childNPath, no corresponding event must be generated.
+ // since the events are generated _after_ persisting all the changes
+ // and the removal also removes the permission entries denying access
+ // testUser will be notified about the removal because the remaining
+ // permission setup after the removal grants read access.
Event[] evts = listener.getEvents(DEFAULT_WAIT_TIMEOUT);
+ List<String> eventPaths = new ArrayList<String>();
for (Event evt : evts) {
- if (evt.getType() == Event.NODE_REMOVED &&
- evt.getPath().equals(childNPath)) {
- fail("TestUser does not have READ permission on " + childNPath);
+ if (evt.getType() == Event.NODE_REMOVED) {
+ eventPaths.add(evt.getPath());
}
}
+ assertTrue(eventPaths.contains(childNPath));
+ assertTrue(eventPaths.contains(childNPath2));
} finally {
obsMgr.removeEventListener(listener);
}
}
+ /**
+ * @see <a href="https://issues.apache.org/jira/browse/OAK-4196">OAK-4196</a>
+ */
@Test
- public void testEventDeniedNode2() throws Exception {
+ public void testEventRemovedNode() throws Exception {
// withdraw the READ privilege on childNPath
deny(path, readPrivileges);
@@ -108,8 +119,7 @@ public class ObservationTest extends Abs
try {
obsMgr.addEventListener(listener, Event.NODE_REMOVED, testRoot, true, null, null, true);
- // superuser removes the node with childNPath & childNPath2 in
- // order to provoke events being generated
+ // superuser removes the node with childNPath order to provoke events being generated
superuser.getItem(childNPath).remove();
superuser.save();