You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Kevin Jansz <ke...@exari.com> on 2011/02/08 06:39:29 UTC
Granting access to versionStorage?
In a repository (versioning & security configured)
- a user can create a resource in an area where the ACLs allow it (say
"testuser" has jcr:all on /content/example)
- they can view the history of versions for the resource
- they hit an issue if they try to label a version (system code is
running javax.jcr.version.VersionHistory.addVersionLabel(String,
String, boolean) on behalf of the user)
- this hits an AccessDeniedException
- checking the ACLs in the versionStorage area
(/jcr:system/jcr:versionStorage/../../....) this is set to
- administrators have jcr:all
- everyone has jcr:read
this must be the default as this area has not had ACLs configured
- all attempts to edit ACLs on /jcr:system/jcr:versionStorage/ seem to
have no effect
I probably haven't described this well, but it seems I might be using
the methods in the wrong way ... in summary:
- is version labelling meant to be an administrators-only function?
- if not, it seems that having jcr:all on something that is
mix:versionable does not automatically mean you'll have
label (jcr:versionManagement or jcr:modifyProperties?) access to the
item's version history. Are there
recommendations/examples for how this can/should be configured?
Regards,
Kevin
--
Kevin Jansz
kevin.jansz@exari.com
Level 7, 10-16 Queen Street, Melbourne 3000 Australia
Tel +61 3 9621 2773 | Fax +61 3 9621 2776
Exari Systems
Boston | London | Melbourne | Munich
www.exari.com
Test drive our software online - www.exari.com/demo-trial.html
Read our blog on document assembly - blog.exari.com
Re: Granting access to versionStorage?
Posted by Kevin Jansz <ke...@exari.com>.
On further investigation I can partially answer some of my question(s)
* Version labelling is an admin-only function by default - but you can
grant access controls to allow this for users that are not the
admin-user
* Having privileges on a resource does not correspond to any
privileges on the corresponding version nodes being created in version
history
* Support for non-admin users access to "label" items in version
history can be achieved (with the default node-type definitions) by
granting write access to jcr:system. This involves:
1) add mixin rep:AccessControllable to /jcr:system
- without this attempts to add ACLs will not be possible
- this isn't supported for /jcr:system/jcr:versionStorage or it's
children in the default node-type definition. It may be customisable?
2) grant jcr:write privilege on /jcr:system for the principals that require it
- weighing up the functionality gained by having non-admin version
labelling vs any security issues with having broader access than
default to /jcr:system
--
Kevin Jansz
kevin.jansz@exari.com
Level 7, 10-16 Queen Street, Melbourne 3000 Australia
Tel +61 3 9621 2773 | Fax +61 3 9621 2776
Exari Systems
Boston | London | Melbourne | Munich
www.exari.com
Test drive our software online - www.exari.com/demo-trial.html
Read our blog on document assembly - blog.exari.com
On 8 February 2011 16:39, Kevin Jansz <ke...@exari.com> wrote:
>
> In a repository (versioning & security configured)
> - a user can create a resource in an area where the ACLs allow it (say
> "testuser" has jcr:all on /content/example)
> - they can view the history of versions for the resource
> - they hit an issue if they try to label a version (system code is
> running javax.jcr.version.VersionHistory.addVersionLabel(String,
> String, boolean) on behalf of the user)
> - this hits an AccessDeniedException
> - checking the ACLs in the versionStorage area
> (/jcr:system/jcr:versionStorage/../../....) this is set to
> - administrators have jcr:all
> - everyone has jcr:read
> this must be the default as this area has not had ACLs configured
> - all attempts to edit ACLs on /jcr:system/jcr:versionStorage/ seem to
> have no effect
>
>
> I probably haven't described this well, but it seems I might be using
> the methods in the wrong way ... in summary:
> - is version labelling meant to be an administrators-only function?
> - if not, it seems that having jcr:all on something that is
> mix:versionable does not automatically mean you'll have
> label (jcr:versionManagement or jcr:modifyProperties?) access to the
> item's version history. Are there
> recommendations/examples for how this can/should be configured?
>
> Regards,
> Kevin
>
> --
> Kevin Jansz
> kevin.jansz@exari.com
> Level 7, 10-16 Queen Street, Melbourne 3000 Australia
> Tel +61 3 9621 2773 | Fax +61 3 9621 2776
> Exari Systems
> Boston | London | Melbourne | Munich
> www.exari.com
>
> Test drive our software online - www.exari.com/demo-trial.html
> Read our blog on document assembly - blog.exari.com