You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "daniel parry (JIRA)" <ji...@apache.org> on 2009/06/09 12:25:07 UTC

[jira] Created: (SLING-997) ModifyAceServlet replaces rather than merges privileges

ModifyAceServlet replaces rather than merges privileges
-------------------------------------------------------

                 Key: SLING-997
                 URL: https://issues.apache.org/jira/browse/SLING-997
             Project: Sling
          Issue Type: Bug
            Reporter: daniel parry


>From email discussion on sling-dev:

I have written some perl[0] to test getting and setting permissions on nodes[1] via the get ACL servlet, and the modifyAce.html. However, if I set the permission jcr:read on one node for admin, then subsequently set the jcr:modifyAccessControl on the same node for admin and just end up with the last permission set rather than both. Is this the intended behaviour, or should it have merged the
permissions together? The json I end up with is:

{"admin":{"granted":["jcr:modifyAccessControl"]}}

with no mention of the read permission...?

[0]

https://saffron.caret.cam.ac.uk/svn/projects/sakoader/branches/improveGenericUse/SlingPerl

[1]

SlingPerl$ perl content.pl -U http://localhost:8080 -a -D mergeTest -u admin -p admin
Content addition to "mergeTest" succeeded!
SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest --read -P admin
Privileges on "mergeTest" for "admin" modified.
SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest -v
{"admin":{"granted":["jcr:read"]}}
SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest --modifyACL -P admin
Privileges on "mergeTest" for "admin" modified.
SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest -v
{"admin":{"granted":["jcr:modifyAccessControl"]}}

Reply from Eric Norman:

You are correct, the ModifyAceServlet does not merge the existing privileges with the submitted privileges.  If there is an existing ACE, it is replaced with a new one containing only the privileges that were submitted.

I agree with you that it should probably leave the existing privleges that did not have a value ("granted", "denied", or "none") submitted .

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SLING-997) ModifyAceServlet replaces rather than merges privileges

Posted by "Eric Norman (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SLING-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eric Norman updated SLING-997:
------------------------------

    Attachment: SLING-977_patch.txt

this patch includes a proposed fix to the issue + updated unit test to demonstrate that the fix is working

> ModifyAceServlet replaces rather than merges privileges
> -------------------------------------------------------
>
>                 Key: SLING-997
>                 URL: https://issues.apache.org/jira/browse/SLING-997
>             Project: Sling
>          Issue Type: Bug
>            Reporter: daniel parry
>         Attachments: SLING-977_patch.txt
>
>
> From email discussion on sling-dev:
> I have written some perl[0] to test getting and setting permissions on nodes[1] via the get ACL servlet, and the modifyAce.html. However, if I set the permission jcr:read on one node for admin, then subsequently set the jcr:modifyAccessControl on the same node for admin and just end up with the last permission set rather than both. Is this the intended behaviour, or should it have merged the
> permissions together? The json I end up with is:
> {"admin":{"granted":["jcr:modifyAccessControl"]}}
> with no mention of the read permission...?
> [0]
> https://saffron.caret.cam.ac.uk/svn/projects/sakoader/branches/improveGenericUse/SlingPerl
> [1]
> SlingPerl$ perl content.pl -U http://localhost:8080 -a -D mergeTest -u admin -p admin
> Content addition to "mergeTest" succeeded!
> SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest --read -P admin
> Privileges on "mergeTest" for "admin" modified.
> SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest -v
> {"admin":{"granted":["jcr:read"]}}
> SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest --modifyACL -P admin
> Privileges on "mergeTest" for "admin" modified.
> SlingPerl$ perl authz.pl -U http://localhost:8080 -u admin -p admin -D mergeTest -v
> {"admin":{"granted":["jcr:modifyAccessControl"]}}
> Reply from Eric Norman:
> You are correct, the ModifyAceServlet does not merge the existing privileges with the submitted privileges.  If there is an existing ACE, it is replaced with a new one containing only the privileges that were submitted.
> I agree with you that it should probably leave the existing privleges that did not have a value ("granted", "denied", or "none") submitted .

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.