You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2022/02/23 15:49:00 UTC

[jira] [Updated] (SLING-11160) Repoinit does not allow to remove individual ACEs

     [ https://issues.apache.org/jira/browse/SLING-11160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Angela Schreiber updated SLING-11160:
-------------------------------------
    Description: 
With SLING-9090 support for using _REMOVE *_ for all entries at a given path or for a given principal has been implemented.

However as indicated in the same issue the intended usage of _REMOVE some-thing-specific_ is not clear.

What is therefore missing with repo-init is the ability to remove a single access control entry that matches 
- prinicipal
- privileges
- allow-status
- single value restriction
- mv restrictions.

As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY are mutually exclusive as the other params listed above can be extracted from a given AclLine in combination with the set-ACL statement.

This could be fixed by adjusting the following parser method
{code}
AclLine privilegesLineOperation() :
{}
{
    ( 
        <REMOVE>        { return new AclLine(AclLine.Action.REMOVE); }
        | ( <ALLOW>     { return new AclLine(AclLine.Action.ALLOW); } )
        | ( <DENY>      { return new AclLine(AclLine.Action.DENY); } )    
    ) 
}
{code}

such that
- REMOVE is optional, followed by 
- ALLOW or DENY

The  {{AclLine}} would then need to be slightly adjusted such that REMOVE can be combined with either ALLOW or DENY.

Otherwise, I don't see how {{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be implemented in org.apache.sling.jcr.repoinit for a single ACE.

Or maybe the intention was something different in the first place?
[~bdelacretaz], I would appreciate if you had time to comment on this.

cc: [~kpauls], [~cziegeler]


  was:
With SLING-9090 support for using _REMOVE *_ for all entries at a given path or for a given principal has been implemented.

However as indicated in the same issue the intended usage of _REMOVE some-thing-specific_ is not clear.

What is therefore missing repo-init is the ability to remove a single access control entry that matches 
- prinicipal
- privileges
- allow-status
- single value restriction
- mv restrictions.

As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY are mutually exclusive as the other params listed above can be extracted from a given AclLine in combination with the set-ACL statement.

This could be fixed by adjusting the following parser method
{code}
AclLine privilegesLineOperation() :
{}
{
    ( 
        <REMOVE>        { return new AclLine(AclLine.Action.REMOVE); }
        | ( <ALLOW>     { return new AclLine(AclLine.Action.ALLOW); } )
        | ( <DENY>      { return new AclLine(AclLine.Action.DENY); } )    
    ) 
}
{code}

such that
- REMOVE is optional, followed by 
- ALLOW or DENY

The  {{AclLine}} would then need to be slightly adjusted such that REMOVE can be combined with either ALLOW or DENY.

Otherwise, I don't see how {{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be implemented in org.apache.sling.jcr.repoinit for a single ACE.

Or maybe the intention was something different in the first place?
[~bdelacretaz], I would appreciate if you had time to comment on this.

cc: [~kpauls], [~cziegeler]



> Repoinit does not allow to remove individual ACEs
> -------------------------------------------------
>
>                 Key: SLING-11160
>                 URL: https://issues.apache.org/jira/browse/SLING-11160
>             Project: Sling
>          Issue Type: Bug
>          Components: Repoinit
>            Reporter: Angela Schreiber
>            Priority: Major
>
> With SLING-9090 support for using _REMOVE *_ for all entries at a given path or for a given principal has been implemented.
> However as indicated in the same issue the intended usage of _REMOVE some-thing-specific_ is not clear.
> What is therefore missing with repo-init is the ability to remove a single access control entry that matches 
> - prinicipal
> - privileges
> - allow-status
> - single value restriction
> - mv restrictions.
> As far as I can see the biggest issue is the fact that REMOVE vs ALLOW/DENY are mutually exclusive as the other params listed above can be extracted from a given AclLine in combination with the set-ACL statement.
> This could be fixed by adjusting the following parser method
> {code}
> AclLine privilegesLineOperation() :
> {}
> {
>     ( 
>         <REMOVE>        { return new AclLine(AclLine.Action.REMOVE); }
>         | ( <ALLOW>     { return new AclLine(AclLine.Action.ALLOW); } )
>         | ( <DENY>      { return new AclLine(AclLine.Action.DENY); } )    
>     ) 
> }
> {code}
> such that
> - REMOVE is optional, followed by 
> - ALLOW or DENY
> The  {{AclLine}} would then need to be slightly adjusted such that REMOVE can be combined with either ALLOW or DENY.
> Otherwise, I don't see how {{AccessControlList.removeAccessControlEntry(AccessControlEntry)}} could be implemented in org.apache.sling.jcr.repoinit for a single ACE.
> Or maybe the intention was something different in the first place?
> [~bdelacretaz], I would appreciate if you had time to comment on this.
> cc: [~kpauls], [~cziegeler]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)