You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "angela (JIRA)" <ji...@apache.org> on 2019/07/31 09:57:00 UTC

[jira] [Created] (SLING-8604) AclUtil.setAcl: invalid assumptions regarding principal lookup

angela created SLING-8604:
-----------------------------

             Summary: AclUtil.setAcl: invalid assumptions regarding principal lookup
                 Key: SLING-8604
                 URL: https://issues.apache.org/jira/browse/SLING-8604
             Project: Sling
          Issue Type: Bug
          Components: Repoinit
            Reporter: angela


IMHO, {{AclUtil.setAcl}} makes the following invalid assumptions about principals:

# every principal is backed by a user/group defined by jackrabbit user management (which already is not necessarily true for the everyone group, which was probably the reason for the extra if for everyone)
# for those cases where a given principal is in fact associated with an known user/group, the implementation assumes that the principal name is identical to the ID

for the former it is sufficient to look at the everyone principal or at the synchronization mechanism in _oak-auth-external_, which defines an additional {{PrincipalProvider}} that does not require principals to be reflected as users/goups and for which setting up access control content is equally valid (see also _oak-exercise_ module for a simplistic, custom principal provider to play around with).

the latter can easily be illustrated by creating a user/group account with a different principal name by calling {{UserManager.createUser(String, String, Principal, String)}} or {{UserManager.createGroup(String, Principal, String}}.




--
This message was sent by Atlassian JIRA
(v7.6.14#76016)