You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by tr...@apache.org on 2014/04/11 01:17:45 UTC
svn commit: r1586499 - in /jackrabbit/oak/branches/1.0:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/
Author: tripod
Date: Thu Apr 10 23:17:44 2014
New Revision: 1586499
URL: http://svn.apache.org/r1586499
Log:
OAK-1720 PermissionValidator may throw AccessDenied if testing for NO_PERMISSION
Added:
jackrabbit/oak/branches/1.0/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteWithCustomPrivilege.java
Modified:
jackrabbit/oak/branches/1.0/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
Modified: jackrabbit/oak/branches/1.0/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java?rev=1586499&r1=1586498&r2=1586499&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java (original)
+++ jackrabbit/oak/branches/1.0/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.java Thu Apr 10 23:17:44 2014
@@ -223,15 +223,17 @@ class PermissionValidator extends Defaul
return;
}
long toTest = getPermission(parent, property, defaultPermission);
- boolean isGranted;
- if (Permissions.isRepositoryPermission(toTest)) {
- isGranted = permissionProvider.getRepositoryPermission().isGranted(toTest);
- } else {
- isGranted = parentPermission.isGranted(toTest, property);
- }
+ if (toTest != Permissions.NO_PERMISSION) {
+ boolean isGranted;
+ if (Permissions.isRepositoryPermission(toTest)) {
+ isGranted = permissionProvider.getRepositoryPermission().isGranted(toTest);
+ } else {
+ isGranted = parentPermission.isGranted(toTest, property);
+ }
- if (!isGranted) {
- throw new CommitFailedException(ACCESS, 0, "Access denied");
+ if (!isGranted) {
+ throw new CommitFailedException(ACCESS, 0, "Access denied");
+ }
}
}
Added: jackrabbit/oak/branches/1.0/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteWithCustomPrivilege.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteWithCustomPrivilege.java?rev=1586499&view=auto
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteWithCustomPrivilege.java (added)
+++ jackrabbit/oak/branches/1.0/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/WriteWithCustomPrivilege.java Thu Apr 10 23:17:44 2014
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.jcr.security.authorization;
+
+import javax.jcr.Session;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.JackrabbitWorkspace;
+import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
+import org.junit.Test;
+
+public class WriteWithCustomPrivilege extends AbstractEvaluationTest {
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ PrivilegeManager privilegeManager = ((JackrabbitWorkspace) superuser.getWorkspace()).getPrivilegeManager();
+ try {
+ privilegeManager.getPrivilege("replicate");
+ } catch (AccessControlException e) {
+ privilegeManager.registerPrivilege("replicate", false, null);
+ }
+ }
+
+ @Test
+ public void testWriteAndCustomPrivilege() throws Exception {
+ Privilege[] privs = privilegesFromNames(new String[] {
+ Privilege.JCR_VERSION_MANAGEMENT, Privilege.JCR_LOCK_MANAGEMENT,
+ "replicate", "rep:write"});
+ allow(path, testGroup.getPrincipal(), privs);
+
+ assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName("replicate")));
+
+ assertTrue(testSession.hasPermission(path + "/newNode", Session.ACTION_ADD_NODE));
+ assertTrue(testSession.hasPermission(childPPath, Session.ACTION_SET_PROPERTY));
+ assertTrue(testSession.hasPermission(path + "/newProperty", Session.ACTION_SET_PROPERTY));
+ assertTrue(testSession.hasPermission(path + "/newProperty", Permissions.getString(Permissions.ADD_PROPERTY)));
+
+ testSession.getNode(path).setProperty("newProperty", "value");
+ testSession.save();
+
+ deny(path, testUser.getPrincipal(), privilegesFromName("replicate"));
+
+ assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName("replicate")));
+
+ assertTrue(testSession.hasPermission(childPPath, Session.ACTION_SET_PROPERTY));
+ assertTrue(testSession.hasPermission(path + "/newProperty2", Session.ACTION_SET_PROPERTY));
+ assertTrue(testSession.hasPermission(path + "/newProperty2", Permissions.getString(Permissions.ADD_PROPERTY)));
+
+ testSession.getNode(path).setProperty("newProperty2", "value");
+ testSession.save();
+ }
+
+ @Test
+ public void testWriteAndCustomPrivilege2() throws Exception {
+ Privilege[] privs = privilegesFromNames(new String[] {
+ Privilege.JCR_VERSION_MANAGEMENT, Privilege.JCR_LOCK_MANAGEMENT,
+ "replicate", "rep:write"});
+ allow(path, testGroup.getPrincipal(), privs);
+
+ assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName("replicate")));
+ assertTrue(testSession.hasPermission(path + "/newNode", Session.ACTION_ADD_NODE));
+ testSession.getNode(path).addNode("newNode");
+ testSession.save();
+
+ deny(path, testUser.getPrincipal(), privilegesFromName("replicate"));
+
+ assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName("replicate")));
+ assertTrue(testSession.hasPermission(path + "/newNode2", Session.ACTION_ADD_NODE));
+ testSession.getNode(path).addNode("newNode2");
+ testSession.save();
+ }
+}