You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Konrad Windszus (Jira)" <ji...@apache.org> on 2023/02/07 10:06:00 UTC

[jira] [Comment Edited] (JCRVLT-683) Import of Authorizable node with acHandling=IGNORE should preserve existing rep:principalPolicy child node

    [ https://issues.apache.org/jira/browse/JCRVLT-683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17685189#comment-17685189 ] 

Konrad Windszus edited comment on JCRVLT-683 at 2/7/23 10:05 AM:
-----------------------------------------------------------------

[~madamcin] Can you come up with failing ITs exposing the issues outlined here? Is any other ACL type outlined at https://jackrabbit.apache.org/filevault/acls.html affected apart from {{rep:PrincipalPolicy}} or does the issue only appear because {{rep:PrincipalPolicy}} appears below an authorizable node?


was (Author: kwin):
[~madamcin] Can you come up with failing ITs exposing the issues outlined here? Is any other ACL type outlined at https://jackrabbit.apache.org/filevault/acls.html affected apart from {{rep:PrincipalPolicy}}?

> Import of Authorizable node with acHandling=IGNORE should preserve existing rep:principalPolicy child node
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: JCRVLT-683
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-683
>             Project: Jackrabbit FileVault
>          Issue Type: Bug
>          Components: Packaging
>    Affects Versions: 3.6.6
>            Reporter: Mark Adamcin
>            Priority: Major
>
> For situations where an authorizable node may be distributed from another environment where a different rep:principalPolicy for the user is defined than exists for that user in the target environment, it is important that the existing rep:principalPolicy be preserved when acHandling is unset, acHandling=IGNORE, or acHandling=MERGE_PRESERVE.
> Currently, the effective behavior of such a package install, as [it appears to be implemented in DocViewImporter|https://github.com/apache/jackrabbit-filevault/blob/5f9657374bd6c2d3dd1f6e9e2be0b9f5b25ddc26/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/DocViewImporter.java#L782-L787], results in the following:
>  * If the package specifies acHandling=IGNORE, the existing rep:principalPolicy is deleted without replacement, regardless of whether the package contains its own rep:principalPolicy, which is equivalent to *acHandling=CLEAR*
>  * If the package specifies acHandling=MERGE_PRESERVE or MERGE, the existing rep:principalPolicy is replaced with whatever rep:principalPolicy is contained in the package, or deletes the policy if a replacement is not present, which is equivalent to *acHandling=OVERWRITE*
> Unexpectedly, the least destructive (and most default) acHandling mode (IGNORE) turns out to be as destructive to packaged system user permissions as choosing any other mode. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)