You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Dan Freeman (JIRA)" <ji...@apache.org> on 2012/09/14 17:14:07 UTC
[jira] [Created] (SLING-2600) Effective ACL servlet returns
incorrect information
Dan Freeman created SLING-2600:
----------------------------------
Summary: Effective ACL servlet returns incorrect information
Key: SLING-2600
URL: https://issues.apache.org/jira/browse/SLING-2600
Project: Sling
Issue Type: Bug
Components: JCR
Affects Versions: JCR Jackrabbit Access Manager 2.1.0
Reporter: Dan Freeman
The GetEffectiveAclServlet only appears to reflect the permissions on lowest node in the requested hierarchy that has an ACL, rather than aggregating all entries.
Given, e.g., a node structure with the following privileges:
/base
principalA - jcr:write=granted
principalB - jcr:write=granted
/base/child
principalB - jcr:lockManagement=granted
When requesting /base/child.eacl.json, the expected result would be that the privileges granted to both principals on /base would be reflected, in addition to those declared directly on /base/child.
Instead, requests for /base/child.eacl.json and /base/child.acl.json both return:
{
"principalB": {
"granted": [
"jcr:lockManagement"
],
"order": 0,
"principal": "principalB"
}
}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (SLING-2600) Effective ACL servlet returns
incorrect information
Posted by "Dan Freeman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dan Freeman closed SLING-2600.
------------------------------
Looks good. Thanks for your work on this!
> Effective ACL servlet returns incorrect information
> ---------------------------------------------------
>
> Key: SLING-2600
> URL: https://issues.apache.org/jira/browse/SLING-2600
> Project: Sling
> Issue Type: Bug
> Components: JCR
> Affects Versions: JCR Jackrabbit Access Manager 2.1.0
> Reporter: Dan Freeman
> Assignee: Eric Norman
> Fix For: JCR Jackrabbit Access Manager 2.1.2
>
>
> The GetEffectiveAclServlet only appears to reflect the permissions on lowest node in the requested hierarchy that has an ACL, rather than aggregating all entries.
> Given, e.g., a node structure with the following privileges:
> /base
> principalA - jcr:write=granted
> principalB - jcr:write=granted
> /base/child
> principalB - jcr:lockManagement=granted
> When requesting /base/child.eacl.json, the expected result would be that the privileges granted to both principals on /base would be reflected, in addition to those declared directly on /base/child.
> Instead, requests for /base/child.eacl.json and /base/child.acl.json both return:
> {
> "principalB": {
> "granted": [
> "jcr:lockManagement"
> ],
> "order": 0,
> "principal": "principalB"
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (SLING-2600) Effective ACL servlet returns
incorrect information
Posted by "Eric Norman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman reassigned SLING-2600:
----------------------------------
Assignee: Eric Norman
> Effective ACL servlet returns incorrect information
> ---------------------------------------------------
>
> Key: SLING-2600
> URL: https://issues.apache.org/jira/browse/SLING-2600
> Project: Sling
> Issue Type: Bug
> Components: JCR
> Affects Versions: JCR Jackrabbit Access Manager 2.1.0
> Reporter: Dan Freeman
> Assignee: Eric Norman
>
> The GetEffectiveAclServlet only appears to reflect the permissions on lowest node in the requested hierarchy that has an ACL, rather than aggregating all entries.
> Given, e.g., a node structure with the following privileges:
> /base
> principalA - jcr:write=granted
> principalB - jcr:write=granted
> /base/child
> principalB - jcr:lockManagement=granted
> When requesting /base/child.eacl.json, the expected result would be that the privileges granted to both principals on /base would be reflected, in addition to those declared directly on /base/child.
> Instead, requests for /base/child.eacl.json and /base/child.acl.json both return:
> {
> "principalB": {
> "granted": [
> "jcr:lockManagement"
> ],
> "order": 0,
> "principal": "principalB"
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2600) Effective ACL servlet returns
incorrect information
Posted by "Eric Norman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman resolved SLING-2600.
--------------------------------
Resolution: Fixed
Fix Version/s: JCR Jackrabbit Access Manager 2.1.2
fixed in revision 1395204
> Effective ACL servlet returns incorrect information
> ---------------------------------------------------
>
> Key: SLING-2600
> URL: https://issues.apache.org/jira/browse/SLING-2600
> Project: Sling
> Issue Type: Bug
> Components: JCR
> Affects Versions: JCR Jackrabbit Access Manager 2.1.0
> Reporter: Dan Freeman
> Assignee: Eric Norman
> Fix For: JCR Jackrabbit Access Manager 2.1.2
>
>
> The GetEffectiveAclServlet only appears to reflect the permissions on lowest node in the requested hierarchy that has an ACL, rather than aggregating all entries.
> Given, e.g., a node structure with the following privileges:
> /base
> principalA - jcr:write=granted
> principalB - jcr:write=granted
> /base/child
> principalB - jcr:lockManagement=granted
> When requesting /base/child.eacl.json, the expected result would be that the privileges granted to both principals on /base would be reflected, in addition to those declared directly on /base/child.
> Instead, requests for /base/child.eacl.json and /base/child.acl.json both return:
> {
> "principalB": {
> "granted": [
> "jcr:lockManagement"
> ],
> "order": 0,
> "principal": "principalB"
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (SLING-2600) Effective ACL servlet returns
incorrect information
Posted by "Dan Freeman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dan Freeman reopened SLING-2600:
--------------------------------
Thanks for looking into this. For the given use case, the fix in revision 1395204 does the job, but there seem to be few edge cases that still need attention.
If, for instance, I add the following to the example in the original description:
/base/child
principalA - jcr:write=denied
Requesting /base/child.eacl.json will return the following:
{
"principalA": {
"denied": [
"jcr:write"
],
"granted": [
"jcr:write"
],
"order": 1,
"principal": "principalA"
},
"principalB": {
"granted": [
"jcr:lockManagement",
"jcr:write"
],
"order": 0,
"principal": "principalB"
}
}
The ACL for principalB is now being correctly resolved, but the output for principalA is ambiguous. Again, thank you for your time.
> Effective ACL servlet returns incorrect information
> ---------------------------------------------------
>
> Key: SLING-2600
> URL: https://issues.apache.org/jira/browse/SLING-2600
> Project: Sling
> Issue Type: Bug
> Components: JCR
> Affects Versions: JCR Jackrabbit Access Manager 2.1.0
> Reporter: Dan Freeman
> Assignee: Eric Norman
> Fix For: JCR Jackrabbit Access Manager 2.1.2
>
>
> The GetEffectiveAclServlet only appears to reflect the permissions on lowest node in the requested hierarchy that has an ACL, rather than aggregating all entries.
> Given, e.g., a node structure with the following privileges:
> /base
> principalA - jcr:write=granted
> principalB - jcr:write=granted
> /base/child
> principalB - jcr:lockManagement=granted
> When requesting /base/child.eacl.json, the expected result would be that the privileges granted to both principals on /base would be reflected, in addition to those declared directly on /base/child.
> Instead, requests for /base/child.eacl.json and /base/child.acl.json both return:
> {
> "principalB": {
> "granted": [
> "jcr:lockManagement"
> ],
> "order": 0,
> "principal": "principalB"
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2600) Effective ACL servlet returns
incorrect information
Posted by "Eric Norman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman resolved SLING-2600.
--------------------------------
Resolution: Fixed
Fix attempt #2 in revision 1396899
> Effective ACL servlet returns incorrect information
> ---------------------------------------------------
>
> Key: SLING-2600
> URL: https://issues.apache.org/jira/browse/SLING-2600
> Project: Sling
> Issue Type: Bug
> Components: JCR
> Affects Versions: JCR Jackrabbit Access Manager 2.1.0
> Reporter: Dan Freeman
> Assignee: Eric Norman
> Fix For: JCR Jackrabbit Access Manager 2.1.2
>
>
> The GetEffectiveAclServlet only appears to reflect the permissions on lowest node in the requested hierarchy that has an ACL, rather than aggregating all entries.
> Given, e.g., a node structure with the following privileges:
> /base
> principalA - jcr:write=granted
> principalB - jcr:write=granted
> /base/child
> principalB - jcr:lockManagement=granted
> When requesting /base/child.eacl.json, the expected result would be that the privileges granted to both principals on /base would be reflected, in addition to those declared directly on /base/child.
> Instead, requests for /base/child.eacl.json and /base/child.acl.json both return:
> {
> "principalB": {
> "granted": [
> "jcr:lockManagement"
> ],
> "order": 0,
> "principal": "principalB"
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira