You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Eric Norman (Jira)" <ji...@apache.org> on 2022/04/09 21:13:00 UTC
[jira] [Resolved] (SLING-11233) Change ACL json output structure to be less ambiguous for restrictions
[ https://issues.apache.org/jira/browse/SLING-11233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman resolved SLING-11233.
---------------------------------
Resolution: Fixed
Merged PR at: [{{505c173}}|https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-accessmanager/commit/505c1736947e510f8dd54be27a6422271dcde5b5]
> Change ACL json output structure to be less ambiguous for restrictions
> ----------------------------------------------------------------------
>
> Key: SLING-11233
> URL: https://issues.apache.org/jira/browse/SLING-11233
> Project: Sling
> Issue Type: Improvement
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: JCR Jackrabbit Access Manager 3.0.12
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> The restriction details in the ACL json output can be ambiguous in some situations.
> For example, in the example below it is not clear if the "rep:glob" restriction applies to the "jcr:read" privilege or the "rep:write" privilege.
>
> {code:java}
> {
> "user1":{
> "principal":"user1",
> "granted":[
> "jcr:read"
> ],
> "denied":[
> "rep:write"
> ],
> "order":0,
> "restrictions":{
> "rep:glob":"glob1"
> }
> }
> } {code}
>
>
> Expected:
> The JSON structure of the ACE should be enhanced to make it more clear.
> For example, replace the "granted/denied/restrictions" items with a "privileges" structure whose items are the granted or denied privileges. Each privilege has a "deny" and/or "grant" child whose value is either true (no restrictions) or an array of restrictions + values.
> For example:
>
> {code:java}
> {
> "user1":{
> "principal":"user1",
> "order":0,
> "privileges":{
> "jcr:read":{
> "allow":{
> "rep:glob":"glob1"
> }
> },
> "jcr:readAccessControl":{
> "allow":{
> "rep:itemNames":[
> "name1",
> "name2"
> ]
> }
> },
> "rep:write":{
> "deny":true
> }
> }
> }
> } {code}
> The new format should also be flexible enough to describe a privilege that is granted and denied with different restrictions for each of those states. That scenario is impossible to describe in the old format.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)