You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/04/13 02:52:25 UTC
[jira] [Created] (JCR-3966) AccessControlUtils should not depend on
ability to read other users
Alexander Klimetschek created JCR-3966:
------------------------------------------
Summary: AccessControlUtils should not depend on ability to read other users
Key: JCR-3966
URL: https://issues.apache.org/jira/browse/JCR-3966
Project: Jackrabbit Content Repository
Issue Type: Improvement
Components: jackrabbit-jcr-commons
Affects Versions: 2.12.1
Reporter: Alexander Klimetschek
Most methods in AccessControlUtils - while taking the principal name as argument - always [fetch the principal|https://github.com/apache/jackrabbit/blob/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/jackrabbit/authorization/AccessControlUtils.java#L369] via the jackrabbit PrincipalManager.
This (at least in Oak) requires the user to have read access on the user behind the principal, otherwise it returns null and an NPE is thrown.
Setting an AC however does not (and should not) require access to the complete user, and can be done by implementing the principal on the spot:
{code}
new JackrabbitPrincipal() {
@Override
public String getName() {
return principalName;
}
};
{code}
This uses the JackrabbitPrincipal as the [PrincipalImpl in Oak casts|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalImpl.java#L51] to this one for the equality test.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)