You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by en...@apache.org on 2010/02/28 20:44:54 UTC

svn commit: r917278 - in /sling/trunk: bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/ launchpad/content/src/main/resources/content/apps/sling/servlet/default/ launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integration...

Author: enorman
Date: Sun Feb 28 19:44:54 2010
New Revision: 917278

URL: http://svn.apache.org/viewvc?rev=917278&view=rev
Log:
SLING-1413 - In Jackrabbit 2.0, Privileges can now be denied for Groups. The ModifyAceServlet and security ContentLoader should allow it as well.

Modified:
    sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
    sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp
    sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java

Modified: sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java?rev=917278&r1=917277&r2=917278&view=diff
==============================================================================
--- sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java (original)
+++ sling/trunk/bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/util/AccessControlUtil.java Sun Feb 28 19:44:54 2010
@@ -316,20 +316,18 @@
     		acl.addAccessControlEntry(principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
     	}
 
-    	//if the authorizable is a user (not a group) process any denied privileges
+    	//process any denied privileges
     	UserManager userManager = getUserManager(session);
     	Authorizable authorizable = userManager.getAuthorizable(principal);
-    	if (!authorizable.isGroup()) {
-    		//add a fresh ACE with the denied privileges
-    		List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
-    		for (String name : newDeniedPrivilegeNames) {
-    			Privilege privilege = accessControlManager.privilegeFromName(name);
-    			deniedPrivilegeList.add(privilege);
-    		}        
-    		if (deniedPrivilegeList.size() > 0) {
-    			addEntry(acl, principal, deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false);
-    		}
-    	}
+   		//add a fresh ACE with the denied privileges
+   		List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
+   		for (String name : newDeniedPrivilegeNames) {
+   			Privilege privilege = accessControlManager.privilegeFromName(name);
+   			deniedPrivilegeList.add(privilege);
+   		}        
+   		if (deniedPrivilegeList.size() > 0) {
+   			addEntry(acl, principal, deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false);
+   		}
 
     	accessControlManager.setPolicy(resourcePath, acl);
     	if (log.isDebugEnabled()) {

Modified: sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp?rev=917278&r1=917277&r2=917278&view=diff
==============================================================================
--- sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp (original)
+++ sling/trunk/launchpad/content/src/main/resources/content/apps/sling/servlet/default/ace.html.esp Sun Feb 28 19:44:54 2010
@@ -5,14 +5,12 @@
       response.sendError(404);
    } else {
       var principalId = request.getParameter("pid");
-      var isUser = false;
       var isValidPrincipal = false;
       if (principalId != null && principalId != "") {
          var userManager = Packages.org.apache.sling.jcr.base.util.AccessControlUtil.getUserManager(currentNode.session);
          if (userManager != null) {
             var authorizable = userManager.getAuthorizable(principalId);
             if (authorizable != null) {
-               isUser = !authorizable.isGroup();
                isValidPrincipal = true;
             } else {
                //no user/group matches the supplied principal id
@@ -72,12 +70,10 @@
          <table width="100%">
             <thead>
                <tr>
-                  <th align="left" width="<%=isUser ? '70%' : '55%'%>">Privilege</th>
+                  <th align="left" width="55%">Privilege</th>
                   <th align="center" width="15%">Ignored</th>
                   <th align="center" width="15%">Granted</th>
-                  <% if (isUser) { %>
                   <th align="center" width="15%">Denied</th>
-                  <% } %>
                </tr>
             </thead>
             <tbody>
@@ -86,12 +82,10 @@
                   var p = supported[i];
             %>
             <tr>
-               <td align="left" width="<%=isUser ? '70%' : '55%'%>"><%=p.getName()%></td>
+               <td align="left" width="55%"><%=p.getName()%></td>
                <td align="center" width="15%"><input type="radio" name="privilege@<%=p.getName()%>" value="none" <%=granted.contains(p) || denied.contains(p) ? "" : "checked"%> /></td>
                <td align="center" width="15%"><input type="radio" name="privilege@<%=p.getName()%>" value="granted" <%=granted.contains(p) ? "checked" : ""%> /></td>
-               <% if (isUser) { %>
                <td align="center" width="15%"><input type="radio" name="privilege@<%=p.getName()%>" value="denied" <%=denied.contains(p) ? "checked" : ""%> /></td>
-               <% } %>
             </tr>      
             <%      
                }
@@ -99,7 +93,7 @@
             </tbody>
             <tfoot>
                <tr>
-                  <td colspan="<%=isUser ? '3' : '2'%>"></td>
+                  <td colspan="3"></td>
                   <td align="center" width="15%">
                      <button accesskey="a" id="applyButton" class="form-button" type="submit">Apply</button>
                   </td>

Modified: sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java?rev=917278&r1=917277&r2=917278&view=diff
==============================================================================
--- sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java (original)
+++ sling/trunk/launchpad/testing/src/test/java/org/apache/sling/launchpad/webapp/integrationtest/accessManager/ModifyAceTest.java Sun Feb 28 19:44:54 2010
@@ -141,8 +141,9 @@
 		assertEquals(1, grantedArray.length());
 		assertEquals("jcr:read", grantedArray.getString(0));
 
-		//denied rights are not applied for groups, so make sure it is not there
-		assertTrue(aceObject.isNull("denied"));
+		JSONArray deniedArray = aceObject.getJSONArray("denied");
+		assertNotNull(deniedArray);
+		assertEquals("jcr:write", deniedArray.getString(0));
 	}
 	
 	/**