You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Tobias Bocanegra (JIRA)" <ji...@apache.org> on 2011/04/09 03:06:06 UTC
[jira] [Created] (JCR-2937) ACL with glob restrictions does not
work on '/'
ACL with glob restrictions does not work on '/'
-----------------------------------------------
Key: JCR-2937
URL: https://issues.apache.org/jira/browse/JCR-2937
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: security
Affects Versions: 2.3.0
Reporter: Tobias Bocanegra
i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
eg:
everyone,allow,jcr:read, '/'
everyone,deny,jcr:read, '/', glob="/*"
the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jukka Zitting updated JCR-2937:
-------------------------------
Fix Version/s: (was: 2.3.0)
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2
> Reporter: Tobias Bocanegra
> Assignee: angela
> Fix For: 2.2.7
>
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tobias Bocanegra updated JCR-2937:
----------------------------------
Fix Version/s: 2.2.7
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2
> Reporter: Tobias Bocanegra
> Assignee: angela
> Fix For: 2.2.7, 2.3.0
>
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tobias Bocanegra updated JCR-2937:
----------------------------------
Comment: was deleted
(was: hoi.
danke!
aber:
char[] tm = (toMatch.endsWith("/")) ? toMatch.substring(0,
toMatch.length()-1).toCharArray() : toMatch.toCharArray();
ist ja wohl ober-lahm (==inperformant) :-) wie waers mit:
char[] tm = toMatch.toCharArray();
len = tm.length;
if (tm[len-1] == '/') len--;
return matches(patternChars, 0, tm., len)
ps: der muss auch ins crx 2.2. soll ich einen bug machen?
gruss, t
)
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2
> Reporter: Tobias Bocanegra
> Assignee: angela
> Fix For: 2.3.0
>
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela updated JCR-2937:
------------------------
Affects Version/s: (was: 2.3.0)
2.2.2
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2
> Reporter: Tobias Bocanegra
> Assignee: angela
> Fix For: 2.3.0
>
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela reassigned JCR-2937:
---------------------------
Assignee: angela
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
> Assignee: angela
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved JCR-2937.
-------------------------
Resolution: Fixed
Fix Version/s: 2.3.0
> the same works for a non-root node.
not quite. the problem was the "trailing" slash that is present with the root node but
never with regular node paths.
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2
> Reporter: Tobias Bocanegra
> Assignee: angela
> Fix For: 2.3.0
>
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13019731#comment-13019731 ]
angela commented on JCR-2937:
-----------------------------
i see... interpreted your initial comment "i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath" that you want to allow READ on '/' and only '/'. but what you want is "deny READ to subnodes of '/' but not '/'.
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13019897#comment-13019897 ]
angela commented on JCR-2937:
-----------------------------
the properties get the permission inherited from the node unless there is a restriction matching specifically.
the jcr:read privilege currently is in our implementation not aggregated and thus does not allow to distinguish between different types of items.
in other word: reading the node includes readability of it's property with the only exception that the jackrabbit extensions are used and the read access is narrowed by a pattern that only matches a subset of items (nodes or properties)
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
> Assignee: angela
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved JCR-2937.
-------------------------
Resolution: Invalid
use empty string restriction value (see JCR 2700 and GlobPattern)
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028371#comment-13028371 ]
Tobias Bocanegra commented on JCR-2937:
---------------------------------------
hoi.
danke!
aber:
char[] tm = (toMatch.endsWith("/")) ? toMatch.substring(0,
toMatch.length()-1).toCharArray() : toMatch.toCharArray();
ist ja wohl ober-lahm (==inperformant) :-) wie waers mit:
char[] tm = toMatch.toCharArray();
len = tm.length;
if (tm[len-1] == '/') len--;
return matches(patternChars, 0, tm., len)
ps: der muss auch ins crx 2.2. soll ich einen bug machen?
gruss, t
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2
> Reporter: Tobias Bocanegra
> Assignee: angela
> Fix For: 2.3.0
>
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13019891#comment-13019891 ]
Tobias Bocanegra commented on JCR-2937:
---------------------------------------
yes. the desired, effective result should be:
- "everyone" allow read "/" (and it's properties ?)
- "everyone" deny read "/*" (all subnodes of "/")
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
> Assignee: angela
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tobias Bocanegra reopened JCR-2937:
-----------------------------------
from JCR-2700:
> an empty string restriction forces the ACE to take effect on the node it has been applied.
which means in this case, effect on '/'. but if i want to restrict the subnodes of '/' i can't express this. but i can for all other nodes than '/'.
eg: using '/*' works but on '/' which is not intuitive.
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (JCR-2937) ACL with glob restrictions
does not work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13019714#comment-13019714 ]
Tobias Bocanegra edited comment on JCR-2937 at 4/14/11 7:43 AM:
----------------------------------------------------------------
from JCR-2700:
> an empty string restriction forces the ACE to take effect on the node it has been applied.
which means in this case, effect on '/'. but if i want to restrict the subnodes of '/' i can't express this. but i can for all other nodes than '/'.
eg: using '/*' works but not on '/' which is not intuitive.
was (Author: tripod):
from JCR-2700:
> an empty string restriction forces the ACE to take effect on the node it has been applied.
which means in this case, effect on '/'. but if i want to restrict the subnodes of '/' i can't express this. but i can for all other nodes than '/'.
eg: using '/*' works but on '/' which is not intuitive.
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-2937) ACL with glob restrictions does not
work on '/'
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13019905#comment-13019905 ]
Tobias Bocanegra commented on JCR-2937:
---------------------------------------
does this mean: "everyone" deny jcr:all read "/*", denies read to properties of / ?
if yes, wouldn't it be better to clearly distinct properties from subnodes in the patterns? eg:
allow jcr:read glob = /jcr:* (allow all sub nodes start with jcr:*)
deny jcr:read glob = /@jcr:* (deny all properties start with jcr:*)
in general, maybe a (simplified) xpath expression would be better suitable to define a set of items instead of globbing patterns.
> ACL with glob restrictions does not work on '/'
> -----------------------------------------------
>
> Key: JCR-2937
> URL: https://issues.apache.org/jira/browse/JCR-2937
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Tobias Bocanegra
> Assignee: angela
>
> i tried to define a ACL on '/' that would allow 'read' on '/' itself, but not for the nodes underneath. i tried "*", "/*", "./*" but none of them seem to do the desired effect.
> eg:
> everyone,allow,jcr:read, '/'
> everyone,deny,jcr:read, '/', glob="/*"
> the same works for a non-root node.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira