[jira] [Resolved] (JCR-3927) UserManager doesn't clean removed user nodes

["angela (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/JCR-3927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela resolved JCR-3927.
-------------------------
    Resolution: Invalid

please note that this is not a bug. removing a user/group is a different task than editing access control. 
also in a productive environment user accounts should rather be disabled as reusing the same id for a different subject will pose many other problems (e.g. references in the version storage, in logs, created-by and lastmodified-by properties and so forth).

feel free to look at {{oak-examples}} for training material around that topic.

> UserManager doesn't clean removed user nodes
> --------------------------------------------
>
>                 Key: JCR-3927
>                 URL: https://issues.apache.org/jira/browse/JCR-3927
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>            Reporter: Kamil
>
> When I create JCR User and assign some privileges to him:
> {noformat}
> Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray()), "workspace");
> UserManager userManager = ((JackrabbitSession)session).getUserManager();
> Principal principal = userManager.createUser("test", "test").getPrincipal();
> JackrabbitAccessControlList jacl = null;
> JackrabbitAccessControlManager acManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
> JackrabbitAccessControlPolicy[] policies = acManager.getPolicies(principal);
> if (policies.length == 0) {
>     // No policies yet. Create one from the applicablePolicies
>     policies = acManager.getApplicablePolicies(principal);
> }
> jacl = (JackrabbitAccessControlList) policies[0];
> Privilege[] privileges = new Privilege[]{acManager.privilegeFromName(Privilege.JCR_ALL)};
> Map<String, Value> restrictions = new HashMap<String, Value>();
> ValueFactory vf = session.getValueFactory();
> restrictions.put("rep:nodePath", vf.createValue("/", PropertyType.PATH)); //and some other restrictions
> jacl.addEntry(principal, privileges, true, restrictions);
> acManager.setPolicy(jacl.getPath(), jacl);
> session.save();
> {noformat}
> and then I print out all the nodes:
> {noformat}
> QueryManager manager = session.getWorkspace().getQueryManager();
> Query query = manager.createQuery("SELECT * FROM [nt:base] AS n", Query.JCR_SQL2);
> NodeIterator res = query.execute().getNodes();
> while (res.hasNext()) {
> 	Node n = res.nextNode();
> 	System.out.println(String.format("%s: %s", n.getIdentifier(), n));
> }
> {noformat}
> Then I receive this:
> {noformat}
> cafebabe-cafe-babe-cafe-babecafebabe: node /
> e482b4ff-8faa-42e1-a534-25373d5abfbc: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test
> d0f7f4b5-f61f-457f-9b8f-0683bb937c5e: node /rep:accesscontrol
> b9446997-df48-4552-8ef9-cb4bdffcee53: node /rep:accesscontrol/rep:security
> 2a90eeb3-60d0-4f92-9175-d141c4c337e0: node /rep:accesscontrol/rep:security/rep:authorizables
> f900633b-09af-44b6-bb1f-151e283df245: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test/rep:policy
> 88fcb55b-efb2-40f3-90c1-976ba2a0c9fe: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test/rep:policy/entry2
> 464d7a4b-1268-49cf-a4c8-59cb9d6d800c: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test/rep:policy/entry0
> 84b93de7-d727-43d9-b49a-0bff86fbfef6: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test/rep:policy/entry1
> 9d3072ef-cd6c-4cf4-b726-4527fb0ab5b4: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test/rep:policy/entry
> 28bd07a8-ad99-4e06-a968-c863232a22a0: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users
> 4e4311f6-f984-4605-88ae-c6ad5e6475cf: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t
> 48b1f67e-f70a-4c77-8f0f-3952fefaf0b8: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te
> deadbeef-cafe-babe-cafe-babecafebabe: node /jcr:system
> deadbeef-face-babe-cafe-babecafebabe: node /jcr:system/jcr:versionStorage
> deadbeef-face-babe-ac71-babecafebabe: node /jcr:system/jcr:activities
> {noformat}
> But when I delete the user:
> {noformat}
> JackrabbitAccessControlManager acManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
> JackrabbitAccessControlList jacl = //previously obtained JACL
> acManager.removePolicy(jacl.getPath(), jacl);
> authorizable.remove();
> session.save();
> {noformat}
> and print out all nodes again, I receive this output:
> {noformat}
> cafebabe-cafe-babe-cafe-babecafebabe: node /
> e482b4ff-8faa-42e1-a534-25373d5abfbc: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test
> d0f7f4b5-f61f-457f-9b8f-0683bb937c5e: node /rep:accesscontrol
> b9446997-df48-4552-8ef9-cb4bdffcee53: node /rep:accesscontrol/rep:security
> 2a90eeb3-60d0-4f92-9175-d141c4c337e0: node /rep:accesscontrol/rep:security/rep:authorizables
> 28bd07a8-ad99-4e06-a968-c863232a22a0: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users
> 4e4311f6-f984-4605-88ae-c6ad5e6475cf: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t
> 48b1f67e-f70a-4c77-8f0f-3952fefaf0b8: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te
> deadbeef-cafe-babe-cafe-babecafebabe: node /jcr:system
> deadbeef-face-babe-cafe-babecafebabe: node /jcr:system/jcr:versionStorage
> deadbeef-face-babe-ac71-babecafebabe: node /jcr:system/jcr:activities
> {noformat}
> so these nodes:
> {noformat}
> /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te/test
> 4e4311f6-f984-4605-88ae-c6ad5e6475cf: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t
> 48b1f67e-f70a-4c77-8f0f-3952fefaf0b8: node /rep:accesscontrol/rep:security/rep:authorizables/rep:users/t/te
> {noformat} 
> are still there instead of being removed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)