You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Alex Parvulescu (JIRA)" <ji...@apache.org> on 2017/05/03 11:07:04 UTC
[jira] [Commented] (OAK-5947) Allowing non-admin user to set
repository permissions fails
[ https://issues.apache.org/jira/browse/OAK-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15994663#comment-15994663 ]
Alex Parvulescu commented on OAK-5947:
--------------------------------------
looks good to me!
the only (cosmetic) suggestion I have is to store the {{RepositoryPermission}} directly in the {{RepoPolicyTreePermission}} instead of doing {{compiledPermission.getRepositoryPermission()}} all the time.
> Allowing non-admin user to set repository permissions fails
> -----------------------------------------------------------
>
> Key: OAK-5947
> URL: https://issues.apache.org/jira/browse/OAK-5947
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.0, 1.2, 1.4.0, 1.6.0
> Reporter: Julian Sedding
> Assignee: angela
> Fix For: 1.8
>
> Attachments: OAK-5947.patch, OAK-5947-tests.patch, SetRepoPolicyTest.patch
>
>
> Given a user principal {{testUser}} is granted {{jcr:readAccessControl}} and {{jcr:modifyAccessControl}} on the repository ({{rep:repoPolicy}}), I would expect that this user can e.g. allow {{everyone}} the {{jcr:namespaceManagement}} permission on the repository.
> Currently this fails with the following exception:
> {noformat}
> javax.jcr.PathNotFoundException: No tree at null
> at org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.getTree(AbstractAccessControlManager.java:163)
> at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.getApplicablePolicies(AccessControlManagerImpl.java:184)
> at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$7.perform(AccessControlManagerDelegator.java:121)
> at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$7.perform(AccessControlManagerDelegator.java:117)
> at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208)
> at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.getApplicablePolicies(AccessControlManagerDelegator.java:117)
> at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.getApplicablePolicies(JackrabbitAccessControlManagerDelegator.java:147)
> at org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils.getAccessControlList(AccessControlUtils.java:128)
> at org.apache.jackrabbit.oak.jcr.SetRepoPolicyPermissionsTest.setRepositoryPermissions(SetRepoPolicyPermissionsTest.java:85)
> ....
> {noformat}
> or after granting {{jcr:read}} on {{/}}:
> {noformat}
> javax.jcr.AccessDeniedException
> at org.apache.jackrabbit.oak.util.NodeUtil.addChild(NodeUtil.java:113)
> at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setNodeBasedAcl(AccessControlManagerImpl.java:289)
> at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:220)
> at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.performVoid(AccessControlManagerDelegator.java:132)
> at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)
> at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:129)
> at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:152)
> at org.apache.jackrabbit.oak.jcr.SetRepoPolicyPermissionsTest.setRepositoryPermissions(SetRepoPolicyPermissionsTest.java:90)
> ....
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)