You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2019/01/23 15:42:00 UTC

[jira] [Updated] (OAK-8000) AccessControlManagerImpl.getEffectivePolicies(String) doesn't respect restrictions

     [ https://issues.apache.org/jira/browse/OAK-8000?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela updated OAK-8000:
------------------------
    Attachment: OAK-8000.patch
                OAK-8000-test.patch

> AccessControlManagerImpl.getEffectivePolicies(String) doesn't respect restrictions
> ----------------------------------------------------------------------------------
>
>                 Key: OAK-8000
>                 URL: https://issues.apache.org/jira/browse/OAK-8000
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>            Priority: Minor
>         Attachments: OAK-8000-test.patch, OAK-8000.patch
>
>
> [~stillalex], looking at the implementation of {{AccessControlManagerImpl.getEffectivePolicies(String)}} I noticed that the implementation only walks up the hierarchy collection the access control lists but does not evaluated whether the individual entries actually take effect on the tree defined by the 'absPath' param. While this is always true for entries without restrictions, it doesn't necessarily apply for entries that hold restrictions.
> The easiest way to fix this was probably to call the variant of {{createACL}} that takes a {{Predicate}} and use that one to read and evaluate the restriction pattern present with each entry tree. 
> Since the {{AccessControlManager.getEffectivePolicies}} is defined to be best-effort, I don't consider this a serious flaw. But for the sake of improved accuracy it might still be worth addressing. wdyt?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)